SAN FRANCISCO — A man who prosecutors said had masterminded some of the most brazen thefts of credit and debit card numbers in history was charged Monday with an even larger set of digital break-ins.
In an indictment, the Department of Justice said that Albert Gonzalez, 28, of Miami and two unidentified Russian co-conspirators made off with more than 130 million credit and debit card numbers from late 2006 to early 2008.
Prosecutors called it the largest case of computer crime and identity theft ever prosecuted. According to the government, the culprits infiltrated the computer networks of Heartland Payment Systems, a payment processor in Princeton, N.J.; 7-Eleven Inc.; Hannaford Brothers, a regional supermarket chain; and two unnamed national retailers.
An unspecified portion of the stolen credit and debit card numbers were then sold online, and some were used to make unauthorized purchases and withdrawals from banks, according to the indictment, which was filed in U.S. District Court in New Jersey. Although some states require card issuers to notify customers about security breaches, it is unclear whether all individuals whose card numbers were stolen in this case have been notified and offered new account numbers.
Gonzalez has been in custody since May 2008, when he was arrested in connection with another prominent data theft at the Dave & Buster's restaurant chain. He has also been indicted in other thefts of credit and debit cards, including the 2005 data breach at TJ Maxx stores, a division of TJX, based in Framingham, Mass.
Gonzalez is awaiting a trial in New York in the Dave & Buster's attack and, separately, another in Massachusetts in the TJX breach. Trials on the charges announced Monday will have to wait until those cases are completed, federal prosecutors said.
Gonzalez's attorney, Rene Palomino Jr., did not respond to requests for comment.
Erez Liebermann, an assistant U.S. attorney in New Jersey, said Gonzalez's involvement in so many data breaches suggested that "perhaps the individuals capable of such conduct are a tighter-knit group than may have been previously thought."
Gonzalez once worked with federal investigators. In 2003, after being arrested in New Jersey in a computer crime, he helped the Secret Service and federal prosecutors in New Jersey identify his former conspirators in the online underworld where credit and debit card numbers are stolen, bought and sold.
But Gonzalez secretly reconnected with his old associates, federal officials have said, and continued to ply his trade using a variety of online pseudonyms, including Segvec and Cumbajohnny.
According to the new indictment, Gonzalez and his conspirators reviewed lists of Fortune 500 companies to decide which corporations to take aim at and visited their stores to monitor which payment systems they used. The online attacks took advantage of flaws in the SQL programming language, which is commonly used for databases.
Prosecutors say the defendants created and placed "sniffer" programs on corporate networks; the programs intercepted credit card transactions in real time and transmitted the numbers to computers the defendants had leased in the United States, the Netherlands and Ukraine.
The conspirators attempted to erase all digital footprints left by their attacks, according to the indictment.
Heartland, one of the world's largest credit and debit card payment processing companies, announced in January that its network had been breached but declined to provide many details. The disclosure came during President Barack Obama's inauguration, which prompted critics to question whether the company was trying to play down the news.
Neither the Department of Justice nor the Secret Service would discuss the investigative breakthroughs in the case. Each defendant faces the possibility of 35 years in prison, and more than $1 million in fines or twice the amount made from the crime, whichever is greater.
Threat Level, a blog run by Wired magazine, reported that Gonzalez had lived a lavish lifestyle in Miami, once spending $75,000 on a birthday party for himself and complaining to friends that he had to manually count thousands of $20 bills when his counting machine broke.
Richard Wang, manager of Sophos Labs U.S., a security firm, said the case provided more evidence that retailers and banks needed to strengthen industry standards and encrypt credit card numbers when they are transmitted between computers. Currently, major banks agree to encrypt such data only when it is stored.
Wang also doubted that the world had seen the last significant theft of credit card numbers.
"I'm not sure how likely it is that they are going to get the Russian co-conspirators," Wang said. "Obviously there are still plenty of people with the necessary expertise to pull off these kinds of attacks."