The Story Behind The Hackers Behind The Largest Credit Card Number Heist

from the soon-to-be-a-movie? dept

Tue, May 25th 2010 5:54am — Mike Masnick

A few years ago, the story broke about how TJX, the corporate parent of a series of retail stores, including TJ Maxx and Marshalls, had suffered a huge data breach, after some hackers had accessed its computer network via an insecure wireless connection at one of the stores. A year and a half later, we wrote about the arrests of some of those involved. The following year, we wrote about another hack, at Heartland Payment Systems, that had the potential to surpass the TJX hack as "the largest ever" in terms of the number of records accessed. It later came to light that both hacks were actually done by the same guys, supposedly led by Albert Gonzalez, a hacker who was actually on the government payroll at the time (after turning informant upon being caught a few years earlier standing in front of an ATM with a handful of fake ATM cards).

Back in March, Gonzalez received a twenty year sentence for the crime -- the longest sentence for "hacking"-related crime in the US. Others involved in the deal have been sentenced to shorter terms recently as well. Now, Danielle Alvarez, from the Miami New Times, points us to an article written by the paper that details the story behind the hacking, and the folks involved -- including the news (which I hadn't seen elsewhere in following this story -- Update: a few people have pointed to this story that Wired had last year, which I had not seen before) that one suspect end up killing himself after hearing of Gonzalez's arrest. It's a long story, but reads like something that will get turned into a movie at some point. Of course, the study plays down the security flaws at the companies, like TJX, which sent unencrypted credit card data over its network (a point Gonzalez's legal team tried to make in properly calculating how much "damage" he did). Still, it's a fascinating story about a group of young hackers, who wanted to "get rich or die trying," and how at least one of them succeeded at the latter.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: credit cards, hacking
Companies: heartland payment systems, tjx

27 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Dark Helmet (profile), 25 May 2010 @ 6:29am

Deal!
"It's a long story, but reads like something that will get turned into a movie at some point."

As long as we get another topless Angelina Jolie for this Hackers 2 movie, they should make it. Zero Cool rides again!
[ link to this | view in chronology ]
- Anonymous Coward, 25 May 2010 @ 8:20am
  
  Re: Deal!
  Jolie is looking pretty weathered these days. Hackers2 would need a fresh new starlet.
  [ link to this | view in chronology ]
  - Rose M. Welch (profile), 25 May 2010 @ 3:42pm
    
    Re: Re: Deal!
    Megan Fox?
    [ link to this | view in chronology ]
    - Liquid (profile), 26 May 2010 @ 5:57am
      
      Re: Re: Re: Deal!
      Nah not Megan Fox the other hot chick from Transformers the one with the British accent.
      [ link to this | view in chronology ]
- kevinmitnick (profile), 26 May 2010 @ 10:15am
  
  Re: Deal!
  i have bunch of those datas. including track 1 and track 2 datas. i even hacked university grades. email at
  
  hacker4hire@hackermail.com
  [ link to this | view in chronology ]
NullOp, 25 May 2010 @ 7:14am

Hackerz
Hmmm. Sounds like a good movie if Hollywood doesn't fuk it up! TJX got what they deserved. Security is for real. And some folks just want to screw you to screw you.
[ link to this | view in chronology ]
- DeathToNullOp, 25 May 2010 @ 7:54am
  
  Re: Hackerz - TJX got what they deserve
  Fucking asshole. The company is not the one that got screwed, the customers are.
  
  But your to mother fucking stupid to realize that. Or just don't give a flying fuck.
  
  Asshole, your what drive by shootings are good for. The removal of scum.
  [ link to this | view in chronology ]
  - WarOtter (profile), 25 May 2010 @ 8:09am
    
    Re: Re: Hackerz - TJX got what they deserve
    Apparently, you're what Prozac and grammar courses are designed for...
    [ link to this | view in chronology ]
  - Anonymous Coward, 25 May 2010 @ 8:20am
    
    Re: Re: Hackerz - TJX got what they deserve
    deep breathes, in... out... ok... chill out. Put the gun down. down! put it down!
    [ link to this | view in chronology ]
Anonymous Coward, 25 May 2010 @ 8:44am

They could get Lindsey Lohan to play a part. She already had an arrest warrant out for her.
[ link to this | view in chronology ]
Anonymous Coward, 25 May 2010 @ 8:47am

The floppy disk hand-off scene with Zerocool and ThePlague is freakin hilarious....Plagues limo is pulling him on a skateboard....too ridiculous.
[ link to this | view in chronology ]
greenbird (profile), 25 May 2010 @ 8:55am

Data was encrypted
Everything I've read about this (except this article which doesn't get into details) stated that the data was encrypted but using the old WEP encryption. By 2007 this was easily crackable using off the shelf tools.
[ link to this | view in chronology ]
Anonymous Coward, 25 May 2010 @ 8:59am

From the article:

When Jonathan was 6, he began spending whole days on his dad's PC. By middle school, he had switched the family PC from Windows to Linux so he could have more control over the code.

Jonathan's parents were thrilled at his gifts but also wary of his disobedience. Once, when the boy was 13, his mother took away a computer after catching him online in the middle of the night. "He ran away from home and called to say that he wouldn't come back until he got his computer back," Bobby remembers. "We asked the police to trace the call, and he was at this Borders bookstore that was, like, four blocks away."

This is the place where society went off the rails and the train eventually crashed. Fathers used to wear belts and they weren't afraid to use them. Now, if you hit your kid, you're a child abuser and our kids know it.
[ link to this | view in chronology ]
- Dark Helmet (profile), 25 May 2010 @ 9:05am
  
  Re:
  "This is the place where society went off the rails and the train eventually crashed. Fathers used to wear belts and they weren't afraid to use them. Now, if you hit your kid, you're a child abuser and our kids know it."
  
  Oh, that's just GENIUS. Because I'm sure the prison systems of our country are absolutely rife with men and women that WEREN'T smacked around as kids....
  
  Idiot.
  [ link to this | view in chronology ]
Anonymous Coward, 25 May 2010 @ 9:45am

..and Ggogle gets nothign for the same...
So he gets 20 years for capturing freely accessible data from their wi-fi, but Google says "I'm sorry - we captured freely accessible data from thousands of wi-fi systems - and tehy get nothing but some bad net-publicity.

Murderers, drug dealers and rapists get less time than this guy; somethings terribly wrong here.
[ link to this | view in chronology ]
- Mike Masnick (profile), 25 May 2010 @ 10:47am
  
  Re: ..and Ggogle gets nothign for the same...
  So he gets 20 years for capturing freely accessible data from their wi-fi, but Google says "I'm sorry - we captured freely accessible data from thousands of wi-fi systems - and tehy get nothing but some bad net-publicity.
  
  Um, *totally* different situations. One, as noted elsewhere in the comments, the data wasn't on open WiFi, just on a super weak WEP system. Two, the hackers, once they got into the local network, hacked their way up to the overall corporate system. Three, Google wasn't scarfing down all of the data, just brief snippets as they drove by. Four, Google wasn't getting credit card info. Five, and most importantly, Google wasn't them selling them to organized criminals in Eastern Europe for millions in cash...
  [ link to this | view in chronology ]
out_of_the_blue, 25 May 2010 @ 10:18am

"a hacker who was actually on the government payroll"
"one suspect ended up killing himself" -- People anywhere near a gov't op that gets exposed are *highly* likely to "suicide".
[ link to this | view in chronology ]
Bruce Ediger, 25 May 2010 @ 10:29am

Wired covered Jonathan James' suiced in July of 2009:

http://www.wired.com/threatlevel/2009/07/hacker/

Looks like the Miami New Times actually did a lot of legwork and got some new details for their story, however. Good for them.
[ link to this | view in chronology ]
Anonymous Coward, 25 May 2010 @ 10:36am

sad story, especially Jonathan James' suicide. Albert deserves to serve a long time. even his plea comes across as arrogantly-contrite. amazing he had millions in cash in plastic tubs burried in his backyard.
[ link to this | view in chronology ]
Tom Landry (profile), 25 May 2010 @ 12:58pm

well, if you're going to lead a life of crime ya might as well go for the gusto......
[ link to this | view in chronology ]
None, 27 May 2010 @ 6:41am

Have to add...
You have to add the fact that the head security guy the company brought in to fix the problems quit because they would not let him do the right things or listen to his sound security advice which leaves them still vulnerable.
[ link to this | view in chronology ]
Anonymous Coward, 27 May 2010 @ 8:55am

Gay story
[ link to this | view in chronology ]
Anonymous Coward, 28 May 2010 @ 4:27am

It's all true
[ link to this | view in chronology ]
kevinmitnick (profile), 18 Jun 2010 @ 9:17pm

hacker for hire
hacker for hire

hacker4hire@hackermail.com
[ link to this | view in chronology ]
Duong, 30 Aug 2010 @ 4:58pm

Special Service Form Installsmarket, Loadssell, Carders, Wizard.(Offering The Best Skim Dumps,Track1/2 Bank Login And Cc Only.)
Special Service Form Installsmarket, Loadssell, Carders, Wizard.(Offering The Best Skim Dumps,Track1/2 Bank Login And Cc Only.)

Sell CVV2 Fresh:

US CVV $2 Visa,US CVV $3 Master,US CVV $5 Amex,US CVV $6 Discover
Uk CVV $6 Amex/Disc,Uk CVV $4 Master/Visa

EU CVV $8 Disc/Amex,EU CVV $6 Master/Visa
CA CVV $3 Master/Visa ,CA CVV $6 Disc/Amex

CVV From All Country In World Is Available.
and You Can ask For Special Bin.
We Search In Our Big Db.

CVV Selling Option :
We Checked Cvv B4 Sell You.
We Replace Dead Cvv In 48 Hurs.

CVV Selling Option :
We Checked Cvv B4 Sell You.
We Replace Dead Cvv In 48 Hurs.Fulls come with this info
Firstname, Lastname, Address, City, State, Zipcode, Phone, SSN, Mother'sMaidenName, DOB,
Driver's License # and state, Email pass , Verifiedbyvisa pass, Cardnumber, Expiry Date, CVV2,
Employment, Position Held
Bank pass, number, name, account number and Routing Number and other infoz.

Dumps Pricse List:
Usa:
Visa Classic, MasterCard Standard - 15$
Visa Gold | Platinum | Business, MasterCard Gold | Platinum - 30$
Canada:
Visa Classic, MasterCard Standard - 30$
Visa Gold | Platinum | Business, MasterCard Gold | Platinum - 40$

EU, UK:
Classic/Standard =55$
Gold/Platinum =75$
Business/Signature/Purchase/Corporate/World =100$

Other countries:
MasterCard| Visa Classic - 40$
Visa Gold|Platinum|Corporate|Signature|Business – 55$

Sample Of Dumps:
Track1 : B4096663104697113^FORANTO/CHRI STOPHER M^09061012735200521000000 ,
Track2 : 4096663104697113=0906101273525 21

372376064851003=0904051136147; PURCELL/JOHN
5232258252218386=0904101000007 2500604

4217642188250286=1011101803115 5200000;B42176421882 50286^POPOVICH/SHERRY ^10111018031155200000

5472742570155205=11041010000070000000

B5588320028938646^STOUGH/WILLIAM M ^110110101501029000000000000000000*5588320028938646=1101101015010290**

B5528300065123784^HOLLAND/ JEREMIAH V ^120110100000001601000000286000000*5528300065123784=1201101016010286**

B5588320041716144^HODGES /THOMAS L ^100710101501830000000000000000000*5588320041716144=1007101015018300**
B5588450919403291^WARD/JENNI FER ^1202101000000000289000000*5588450919403291=12021010000028900**

Bins List:
;Corporate And Debit For Italy: Banca di Sassari
400325 - 1 (Other: 1 ),402041 - 2 (201: 2 ),402186 - 1 (201: 1 ),402360 - 12 (Other: 12 ),

Debit;visa;Classic For Uk:HSBC Bank PLC
465976 - 1 (201: 1 ),465950 - 3 (201: 3),465944 - 2 (201: 2 ,465943 - 2 (Other: 2 )465941 - 1 (201: 1 )

Credit,Visa,Classic For France:Caisse National
497671 - 1 (201: 1 ),497601 - 1 (201: 1 ),497546 - 1 (201: 1
),497539 - 1 (201: 1 )

DEBIT;mc;STANDART For Spain:MASTERCAJAS S.A.
554013 - 1 (101: 1 ),554001 - 1 (201: 1 ),554001 - 1 (201: 1 )553435
- 1 (201: 1 )

Gold,Platinum,Business,Small Corporate For Us:unknown;amex
371756 - 1 (Other: 1 ),371745 - 2 (Other: 2 ,371726 - 1 (Other: 1 ,371707 - 1 (Other: 1 ,372050 - 1 (Other: 1 ,

DEBIT;mc;WORLD;;; For Us: - CHASE BANK USA, N.A.;
546615 - 1 (101: 1 ),546615 - 1 (101: 1 ),546604 - 2 (101: 2 ),

Bank Login :
Bank Login From Usa And Eu And Uk And Asia Is Avaiable.
Available Bank Login With They Are Screen Shot A Side :

Abbey (Screen Shot Link):
HSBC(Screen Shot Link):
Chase(screen Shot Link):
HDFC Bank(Screen Shot Link):
BOA(Screen Shot Link:
Bank Of America(Screen Shot Link):- http://i37.tinypic.com/14j3lmx.png - Online

And We Have Good Service For Bank Transfering For You .
And Our Service Is Very Fast And Safe And immediate .

BankLogins Prices:

BALANCE IN CHASE ..........70K TO 155K ========160$
BALANCE IN BOA..........75K TO 450K==========300$
BALANCE IN COMPASS..........ANY AMOUNT=========300$
BALANCE IN ABBEY..............82K ===========700$
BALANCE IN HSBC.................50K========350 $

Be Very Carefull When Dealing With Someone Dnot Loose Your Money To Fucking Rippers
And We Hope To Give The Best Stuff You Will Love Dont Forget That We Need More Customers.

Contact Details
------------------------------------------------------
Yahoo Id: Duong_bmt50

Yahoomail: Duong_bmt50@yahoo.com

Icq: 624558010

-- My Private Email: Duong_bmt50@hotmail.com
[ link to this | view in chronology ]
wilson, 1 Sep 2010 @ 8:45pm

hello
all these things you guys doing here is fake inorder to get money from guys posting alot of things in here
[ link to this | view in chronology ]
Salvatore, 1 Jun 2012 @ 1:08pm

Carding
I have cc top up,.rdp,smtp, socks, dumps without pin, cvv all countries, shopping etc. contact me at devilmugu99@yahoo.com..cheers
[ link to this | view in chronology ]