Chances are that you've seen the stories about what some are calling "the largest case of computer crime and identity theft ever prosecuted."
28-year-old Albert Gonzalez, and two unnamed Russian men, are accused of stealing more than 130 million credit and debit card numbers from late 2006 to early 2008. According to prosecutors, the hacking gang broke into computer networks belonging to Hannaford Brothers, and two undisclosed national retailers.
What makes this news particularly fascinating, however, is that Miami-based Albert Gonzales (who uses the online handle "Sevgec") is already awaiting trial in connection with a massive data breach at TJ Maxx, OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, and BJ's Wholesale Club.
130 million stolen credit and debit card numbers is a jaw-dropping number by anyone's standards, and it's obviously very important for law enforcement agencies to send out a strong message that these types of attacks are serious offences.
After all, recovering from data breaches can mean significant costs for the companies involved and pain and inconvenience for their customers.
While many may concentrate on the alleged involvement of Albert Gonzalez, lets not forget that data thefts of this size are commited by organised and co-ordinated criminal gangs. Within the cybercrime underworld there are specialists in selling stolen data, turning that stolen data into hard cash, and laundering the proceeds.
And there are many other hackers out there.
Here is some advice for retailers, and other businesses, on how to better protect their data and the identities of their customers:
- Keep computers that store sensitive data, such as customer records, separate from your public facing website and servers.
- Ensure that sensitive data can be accessed by only those employees who actually need access to it.
- All sensitive data should be securely encrypted. There are more ways to lose data than via an electronic breach. Misplaced or stolen computers, CDs and USB drives can all be sources of information for criminals.
- Harden your website so it is not vulnerable to attacks such as SQL injection.
- Ensure that all points of your network are protected by good quality security software with anti-virus and anti-spyware on all computers, control the use of USB sticks, and deploy web security filtering in place to keep employees safe when they're online.