Heartland, Hannaford and TJ Maxx Hacks All Related

Brian Krebs at the Washington Post busts this story wide open, saying that the most massive hacks of the past three years, each of which I have covered here, here and here, were all perpetrated by the same attackers.

One person, an informer in the case, is behind bars already. The other players seem to be Russian mobsters. Good luck with that extradition, DOJ.

From the WaPo here:

A federal grand jury has indicted three people on charges of hacking into the files of the credit and debit card processing giant Heartland Payment Systems last year in what the Justice Department is calling the largest identity-theft case ever prosecuted.

The same three people were involved in a string of high-profile data breaches from October 2006 to May 2008, including intrusions at grocery chain Hannaford Brothers and 7-Eleven. In total, the suspects stole data on more than 130 million credit and debit cards from Heartland alone.

One of the accused, a 28-year-old former Secret Service informant named Albert Gonzalez of Miami, was indicted last year for his alleged role in several other major data breaches, including ones at T.J. Maxx, Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority.

Authorities say hackers in the United States, Russia and Eastern Europe worked together to target known security weaknesses in computer systems. The indictments do not name the other two alleged hackers, describing them only as “Hacker 1” and “Hacker 2” and saying they are from Russia.

Those Russian hackers may as well be Thing1 and Thing2 from Cat in the Hat. They will never see a trial. Its not like we routinely extradite criminals from Russia. Hell, we seem to be having trouble getting the world’s dumbest hacker to stand trial here.