Feds Bust Largest Hacking, Data Breach in US History

Five men have been charged with stealing and reselling over 160 million credit card numbers.
8:48 | 07/25/13

Coming up in the next {{countdown}} {{countdownlbl}}

Coming up next:



Skip to this video now

Now Playing:


More information on this video
Enhanced full screen
Explore related content
Related Extras
Related Videos
Video Transcript
Transcript for Feds Bust Largest Hacking, Data Breach in US History
We're here to announce today that our office has obtained an indictment. Against charging five international computer hackers who -- the leaders of a group responsible for several of the largest -- data breaches. Ever uncovered. They targeted some of the largest companies in the world. Stealing millions of credit and debit card numbers and causing hundreds of millions of dollars in losses to their victims. Two of the defendants Vladimir -- and Dmitry snowy nights are in custody. Treatment is awaiting an extradition hearing in the Netherlands personally -- -- who appear in federal court in New Jersey next week. The remaining three Alexander Colleen and Roman caught off and -- -- a cough or fugitives. Among other charges all five of the defendants are charged with conspiracy to commit wire fraud. Which carries a maximum penalty of thirty years in prison and a fine of a million dollars or twice the gain or the loss from the offense. If convicted they will also be ordered to repay the victims for the losses they have cost. And the losses in this case or staggering. The conspirators and his criminal enterprise breached the computer networks of at least seventeen. Major retailers. Financial institutions and payment processors. And obtained more than a 160. Million credit and debit card numbers. They then sold those card numbers to individuals who ultimately use them to cause losses of at least 300 million dollars. And that by the way is our conservative estimate of losses the amount we've been able to confirm so far. And suffered by only three of the victim companies the actual loss figure may well be much much higher -- -- scheme was so sophisticated. And brought together some of the most experienced and skilled hackers in the world. -- -- of the indictment identifies each of the players in the group and their specialties. Drink men and collision with -- penetration experts they possessed the skills and the unique hacking tools to gain initial access to the victim companies. After getting in it was the expertise of treatment and cocked off. That located and retrieved the credit and debit card information and other personal information in those networks. -- that sensitive and valuable information in hand. They then turned to the broker snow -- -- who set up the deals to sell the data throughout the world. Defendant -- Cobb provided the conspirators with the hacking platforms or computer servers. From which they could launch -- execute their attacks and on which they could temporarily store the data that they stole. Typically the data breaches each followed a five step pattern. First the defendants and their associates and you'll see this in the indictment -- scout potential victims. By researching their web sites and other publications to identify companies -- engaged in financial transactions. Companies that would have lots of consumer credit and debit card information or other information that they were trying to get. They would then go to the website to those companies and sometimes even to their retail outlets to probe them for vulnerabilities. After the second step. With the after identifying the vulnerable web sites of companies were engaging these transactions. The defendants would attack the -- the victims networks. This was drink -- and -- and specialty. And their attacks were generally begin. Through what's known as an SQL injection -- through company's website -- -- well as a computer language that is used to manage computer databases. And what they would do is they would probe and test and penetrate until they would actually -- in. And once they got -- they would use custom designed malware. Malicious computer programs that where they are unique burglary tools to gain access to different parts of the company's networks. Once inside the networks. The third step. And then the wedding the third -- once they got in the networks and they would often brag to each other that when they were in make quote -- close quote the networks. They would then partially -- stay within patiently explore those networks looking for credit and debit card information login credentials and other valuable that. And what was really interesting is they were very patient. And relentless sometimes these attacks and these and these explorations. Would take months and months and months it was not unusual at all for them to spend that kind of time. Looking for valuable data within a victim's computer network and planting the malware that would allow them to -- -- trait that data in a way that would avoid detection for as long as possible. They would put programs on those networks called slippers which would intercept debit and credit card information as it passed through those networks. And then they would periodically have the malware that they placed relay the information back. To the servers on that they control. Before thing needed is once they stole the credit and debit card data and the related information from the victim's company's network so really on -- would then sell that. Which hackers referred to as dumps the group that the amount that when you get up and up a certain amount of doubt it's called a dump. And they would sell that information to a trusted group of resellers. So really on -- was the one who set the price for these -- Charging ten dollars for an American credit card number fifty dollars for European credit card number and fifteen dollars for Canadian credit card numbers. He even offered quantity discounts and discounts for repeat customers. He was also the person who was responsible for distributing and laundering the proceeds you'll see in the indictment that he did that. With the aid of someone who was identified in the indictment as co conspirator want. Finally. The resellers would then sell the information to individuals who would re -- the data. -- to the magnetic strips of blank cards and then cashed them out -- the maximum extent that they could. -- I said before along the way the conspirators took a variety of steps to avoid detection by network security and by law enforcement. For example you'll see -- ending in -- -- also -- -- provided them with what he advertised as quote bulletproof. Close quote posting. Comedy called bulletproof because he thought it was a fool -- way. Avoiding detection he would lease servers under fake names. Frequently change the overseas. Locations of the servers that he was offering for rent. -- and -- from which -- of the -- -- the launching their attacks. And I'm -- they which they were also storing their hacking tools and the information they stole he would also periodically -- those servers clean if necessary. To avoid detection by law enforcement. The charges in this case show that a handful of players -- we're capable of and responsible for orchestrating. A huge number of large scale data breaches. The hackers and their associated associates orchestrated seventeen. Major data breaches including intrusions into the networks of NASDAQ. 7-Eleven. JC Penney Heartland Payment Systems and several major payment. Card processors such as Euronet Worldwide. And global payment. We frequently bring prosecutions. Of the people who use the fruits of this kind of crime. Such as organizations of runners and catchers who go from ATM -- store to store with stolen credit card information. And cash out millions of dollars in -- a matter of hours. The individuals charged and arrested in this case are the ones at the top the ones who steal the -- That they sell to the folks who cash out. By arresting two of the key players and identifying three of the others we believe we have taken a major step toward dismantling this organization. I think this prosecution also demonstrates that well hackers are persistent and patient -- This investigation. Came out -- a December 2007. Intrusion into the networks of Heartland Payment Systems here in New Jersey. That investigation resulted in the arrest and guilty plea of Albert Gonzales who is now serving a twenty year sentence and is named as an unindicted co conspirator in today's. Indictment but we didn't stop with Gonzales we -- persistent and we were patient. We use the information we obtained in that investigation. Including online chats some of which are excerpted excerpted in the indictment. To identify and locate and arrest additional customers. No matter how hard hackers try. Even talented ones like the defense -- charged today. Everything in the cyber world leaves a digital thing from somewhere -- agents of the Secret Service -- special -- Jim Mitchell who is in charge of the New Jersey. Office of the Secret Service and the prosecutors in my office and curb your great wall and -- pack were standing to my left. Collected and analyzed those unique digital fingerprints left by the defendants and their hacking activities and use them to identify and locate the defendants in the indictment.

This transcript has been automatically generated and may not be 100% accurate.

{"id":19773728,"title":"Feds Bust Largest Hacking, Data Breach in US History","duration":"8:48","description":"Five men have been charged with stealing and reselling over 160 million credit card numbers.","section":"US","mediaType":"Default"}