Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

Federal prosecutors <a href="http://www.justice.gov/usao/nj/Press/files/Drinkman,%20Vladimir%20et%20al.%20Indictment%20News%20Release.html">announced yesterday</a> the arrest and indictment of five men accused of involvement in the theft of over 160 million credit card numbers. According to prosecutors, thefts by this group involved some of the largest and most notable U.S. data breaches of recent years, including <a href="http://www.bankinfosecurity.com/global-payments-breach-tab-94-million-a-5415/op-1">Global Payments</a>, <a href="http://usatoday30.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm">Heartland Payment Systems</a>, <a href="http://www.bankinfosecurity.com/global-payments-breach-tab-94-million-a-5415/op-1">Hannaford</a>, and <a href="http://www.nytimes.com/2011/02/06/business/06nasdaq.html?_r=0">NASDAQ</a>, among others.

Payment card information is among the most sought-after information by data privacy thieves. The indictments allege that this group, based in Russia and the Ukraine, sold the stolen card data to “trusted identity theft wholesalers” for prices ranging from $10 - $50 per card. Federal prosecutors estimate that the group caused “hundreds of millions” of dollars in losses, most of which are borne by companies.

The arrests highlight the challenges faced by businesses from increasingly sophisticated data privacy thieves, and sheds light on the lengths which hackers may be willing to go when targeting companies. The indictment alleges that this group would patiently spend months penetrating corporate networks, using malware, <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL Injection</a> and other tactics. The groups also defined specialized roles for its members, with some members dedicated to penetrating network security, others dedicated to maximizing the amount of the data obtained from the companies, and another responsible for selling the stolen data. The group also undertook measures to conceal their activities.

The men face between 5 and 30 years in prison if convicted.

Federal Prosecutors Indict Accused Data Thieves