U.S. authorities charged five men on Thursday with hacking and credit card fraud at several large corporations. Not only is this a security issue for consumers, but it’s a huge reputation and branding issue for companies that rely on keeping information safe.
Here’s the story from Reuters:
Federal prosecutors said on Thursday they have charged five men responsible for a hacking and credit card fraud spree that cost companies more $300 million and two of the suspects are in custody, in the biggest cyber crime case filed in U.S. history.
They also disclosed a new security breach against Nasdaq, though they provided few details about the attack.
Other companies targeted by the hackers include a Visa Inc licensee, J.C. Penney Co, JetBlue Airways Corp and French retailer Carrefour SA, according to an indictment unveiled in New Jersey.
Authorities have been pursuing the hackers for years. Many of the breaches were previously reported, though it appeared the one involving Nasdaq OMX Group Inc was being disclosed for the first time.
Prosecutors said they conservatively estimate that the group of five men from Russia and Ukraine helped steal at least 160 million payment card numbers, resulting in losses in excess of $300 million.
The Wall Street Journal pointed out several more names and added this context about cyber crime as the wave of the future:
Cybercrime has been a growing concern for prosecutors in the U.S. and around the world in the past few years as hacking groups have become more brazen in their infiltrations of government websites and secure financial systems. Hacking groups have been successful in carting away millions of dollars in just a matter of hours with little more than a computer and a handful of stolen card numbers.
“This type of crime is the cutting edge,” said Paul Fishman, the U.S. attorney in New Jersey. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day.”
The indictment says members of the conspiracy “scouted” potential victims, including visiting retail stores in 2007 and in 2008 to identify their payment-processing systems. In other cases, the indictment alleges, the hackers installed software on the corporate computer systems so that they could create so-called back doors giving them access to the systems at a later date.
The indictment says the hackers would get large amounts of data from the corporate computers and then sell the information. Prices ranged from about $10 for each stolen American credit-card number, $50 for each European number and $15 for the Canadian variety.
The scheme unveiled on Thursday allegedly targeted computer systems at a variety of companies, including Nasdaq, French retailer Carrefour, J.C. Penney, 7-Eleven Inc., JetBlue Airways Corp. and a Jordan company that processed payments for merchants using Visa Inc.’s network. Dow Jones Inc., a unit of News Corp. and the publisher of The Wall Street Journal, also was an alleged victim of the scheme, in 2009, according to the indictment.
The New York Times story offered details of what was stolen from a couple of companies, citing the indictments:
The attacks underscore the broader threat that hacking poses to a financial system that is almost entirely reliant on networked communications.
In the Nasdaq case, Mr. Kalinin is accused of hacking into the servers used by the exchange. From November 2008 through October 2010, he installed malicious software, or malware, on servers that allowed him to delete, change or steal data, according to the indictment unsealed on Thursday. The infected servers did not include the platform for securities trading.
In a separate indictment also unsealed in federal court in New York, Mr. Kalinin and another Russian, Nikolay Nasenkov, who is also at large, are accused of conducting a scheme to steal bank account information and use it to withdraw millions of dollars from the victims’ bank accounts. From December 2005 through November 2008, the two men hacked into computer systems and stole information from banks including Citibank and PNC Bank, according to the indictment.
In January 2006, the personal identification numbers for hundreds of customer accounts were compromised by a cyberattack on PNC Bank’s online banking Web site, the indictment said. Mr. Nasenkov supplied stolen account information to co-conspirators who, in turn, used it to encode blank A.T.M. cards and withdraw $1.3 million from victims’ accounts.
While all these details are interesting, I would have liked to see some mention of the reputation risk that cyberattacks pose, especially to banks and financial institutions. It’s a topic that many large firms spend considerable time and resources trying to offset and solve, but not something that is written about often.
It’s an important angle that should be covered more, especially as large companies grabble with the problem of remaining profitable and staying one step ahead of cyber criminals.