Security Watch

Updated every Tuesday evening, circa 11 p.m. ET. Links may require registration/subscription. 

Serial Offender?

New Jersey prosecutors have estimated that the Heartland Payment Systems Inc. breach involved 130 million card accounts — and linked it to a man who is already awaiting trial for his alleged involvement with the massive breach at TJX Cos. Inc.

If convicted of all charges against him, the 28-year-old former Secret Service informant Albert Gonzalez would be held responsible for several of the biggest data breaches in recent years, Wired.com's "Threat Level" blog reported Monday.

Gonzalez was indicted last year for his alleged connection to the incidents at TJX, Dave & Buster's Inc. and several other retailers. According to Monday's indictment, which Wired.com has posted online, Gonzalez and two unnamed people living in or near Russia have also been charged with conspiracy to commit computer fraud and conspiracy to commit wire fraud against five more companies, including Heartland, Hannaford Brothers Co. and 7-Eleven Inc.

The New Jersey indictment claims that, in addition to the Heartland breach that exposed about 130 million card accounts, another 4.2 million accounts were exposed in the Hannaford incident. It did not provide figures for the 7-Eleven breach or for two unidentified retailers also mentioned in the indictment.

"Threat Level" explained that Gonzalez became a Secret Service informant when he agreed to provide information after his 2003 arrest in connection with the "Shadowcrew" online card fraud ring. The information he provided as part of the Secret Service's "Operation Firewall" led to the arrest of 28 others. Gonzalez is in custody awaiting trial for the TJX and Dave & Buster's incidents.

Stephen Watt, a programmer who pleaded guilty to writing the program used to steal card data from some of the companies Gonzalez is accused of hacking, is to be sentenced this month, the article said.

Misused Data

Federal agencies that provide loans to people in some Pacific island nations are reporting the borrowers' foreign Social Security numbers to credit bureaus — creating financial difficulties for the U.S. taxpayers who share those numbers.

The issue affected Associated Press writer Holly Ramer, who described the situation in a Sunday article.

Not all the foreign numbers are perfect matches for U.S. Social Security numbers; some of the other nations do not use nine-digit numbers, the article said, but when they are reported to U.S. credit bureaus, an extra zero is typically added to the front.

This can create problems for people issued Social Security numbers in Maine and New Hampshire, where they begin with a double-zero.

Ramer discovered the problem when a collection agency called about an unpaid debt of $7,306 from a man in Micronesia.

The debt came from the Federal Emergency Management Agency, which made $20 million in loans and grants to Micronesia after 2002's Tropical Storm Chata'an.

The article said people with Social Security numbers that begin 002-6, 003-9, 004, 005-7, 006-4, and 007-8 should be concerned because their numbers may be among the estimated 135,000 that match numbers assigned to residents of Micronesia, Palau, and the Marshall Islands.

Consumers in this situation may have fewer options for recourse than identity theft victims.

For example, the Federal Trade Commission "investigates identity theft, and this isn't theft," Ramer wrote.

Bull's-Eye on Twitter

Twitter Inc.'s microblogging service has been used by at least one hacker to control a "botnet" of compromised home computers.

The Twitter account "Upd4t3" sent updates to the botnet in the form of garbled links, Wired.com's "Threat Level" blog reported Aug. 13. The account, which was discovered by the Chelmsford, Mass., data analysis firm Arbor Networks Inc., listed several strings of characters that were really commands to compromised computers. These posts told the machines where to look for updated code or other instructions.

"Threat Level" said that since other public communication tools, such as chat rooms, have long been used in this manner, "perhaps what's surprising is that it's taken so long for hackers to take Twitter to the dark side."

The "Upd4t3" Twitter account has since been suspended.

The attack that took down Twitter's service this month began with a series of identity thefts in the United States.

Stolen financial details were used to register the Internet accounts behind the attacks and mask the identities of the true perpetrators, The Wall Street Journal reported Monday, citing research from a nonprofit group called the U.S. Cyber Consequences Unit.

The attack took down Twitter and other communication tools, including Facebook Inc.'s social networking site, and was believed to have been the work of hackers in Russia targeting Georgia, the article said.

For the most part, however, personal details of Americans were used to launch the attacks. Of the 10 Web sites tied to the attack that were registered with stolen identities, nine were registered to U.S. identities and one to a French identity.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.