A federal grand jury has indicted three people on charges of hacking into the files of the credit and debit card payment processing giant Heartland Payment Systems last year, part of an investigation the Justice Department is calling the largest identity theft case ever prosecuted.
One of the accused, 28-year-old Albert Gonzalez of Miami, was indicted last year for his alleged role in several other major data breaches, including ones at TJ Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority.
In total, the government alleges, the trio stole data on more than 130 million credit and debit cards from Heartland, based in Princeton, N.J.
According to indictments returned Monday in a New Jersey federal court, the government believes the same people were involved in a string of high-profile data breaches from October 2006 to May 2008, including intrusions at the Hannaford Brothers grocery chain and 7-Eleven.
Hannaford oversees Sweetbay Supermarket for Belgian owners DelHaize Group. From Dec. 7, 2007, through March 10, 2008, 1.6 million accounts were compromised because of a breach at 106 Sweetbay stores in Florida.
"This investigation marks the continued success of law enforcement in tracking down cutting-edge hacking schemes committed by hackers working together across the globe," said Ralph J. Marra Jr., acting U.S. attorney for the district of New Jersey.
The indictments returned Monday include two other people accused in the Heartland and Hannaford breaches, described only as "Hacker 1" and "Hacker 2," both of Russia. All three are charged with two counts: conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers, and conspiracy to commit wire fraud. Each defendant faces a maximum of 35 years in prison, as well as more than $1 million in fines or twice the gain resulting from the offense, whichever is greater.
Gonzalez was previously indicted for his alleged role in the TJ Maxx hacks, among others, and is detained in Brooklyn, N.Y., pending trial. He has pleaded not guilty in that case.
Heartland disclosed the breach in January. At the time of the intrusion last summer, Heartland was processing 100 million payments for at least 250,000 businesses each month. The company has not disclosed how many credit and debit accounts may have been compromised in the breach, although at least 650 financial institutions have been affected, according to BankInfoSecurity.com.
In a June filing with the Securities and Exchange Commission, Heartland said that the data breach had cost it $32 million. But the final bill may be far higher: The breaches at TJ Maxx have cost the company at least $200 million to date, according to a filing with the Securities and Exchange Commission.
Information from Times files was used in this report.