Heartland Hacker Pleads Guilty


You remember the January 2009 data breach of Heartland Payment Systems that exposed 130 million personal records, right? You should — it was the largest data breach of all time.

To give you a little background, Heartland Payment Systems processes 100  million credit and debit card transactions per month for 175,000 merchants. In late 2008, a hacker accessed the computers Heartland uses on a daily basis, jeopardizing 130 million customer records.

And finally, after almost one year of investigations, officials charged 28-year-old Albert Gonzalez of Miami. He pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by Heartland, among other payment processing companies. But this was not Gonzalez’s first run-in with the law for hacking-related activities.

Gonzalez pleaded guilty in September 2009 in Boston to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez also pleaded guilty in September 2009 in Boston to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York.

Who knows where this cyber-scoundrel would have attacked next, had he not been caught. He faces sentencing in March for his crimes and will likely be sentenced to 17 to 25 years in prison.

Let’s take a look at the largest data breach incidents on record, listed by number of records breached, date and organizations affected.

Largest Data Breach Incidents

130,000,000 01/20/09 Heartland Payment Systems
94,000,000 01/17/07 TJX Companies
90,000,000 06/01/84 TRW, Sears Roebuck
76,000,000 10/05/09 National Archives and Records Administration
40,000,000 06/19/05 CardSystems, Visa, MasterCard, American Express
30,000,000 06/24/04 America Online
26,500,00 05/22/06 U.S. Department of Veterans Affairs
25,000,000 11/20/07 HM Revenue and Customs, TNT
17,000,000 10/06/08 T-Mobil, Deutsche Telekom
16,000,000 11/01/86 Canada Revenue Agency

As hackers become more sophisticated, more pressure is put on IT risk managers. And with budgets tight and resources lacking, we will undoubtedly see our share of data breaches well into the future.

130,000,000 2009-01-20 Heartland Payment Systems
94,000,000 2007-01-17 TJX Companies Inc.
90,000,000 1984-06-01 TRW, Sears Roebuck
76,000,000 2009-10-05 National Archives and Records Administration
40,000,000 2005-06-19 CardSystems, Visa, MasterCard, American Express
30,000,000 2004-06-24 America Online
26,500,000 2006-05-22 U.S. Department of Veterans Affairs
25,000,000 2007-11-20 HM Revenue and Customs, TNT
17,000,000 2008-10-06 T-Mobile, Deutsche Telekom
16,000,000 1986-11-01 Canada Revenue Agency

Risk Management Links of the Day: 12.28.09


  • Five U.S. mortgage insurance companies are downgraded. You may have seen this coming, but Standard & Poor’s Rating Services downgraded five mortgage insurance groups, along with their core and dependent foreign subsidiaries. The article stated that “a backlog in foreclosures due to high unemployment and the economic crisis has slowed claims payments, but extended loses over a longer period than initially expected.”
  • Is the dollar headed for a rebound? According to today’s BusinessWeek article citing Marc Faber’s Gloom Boom & Doom newsletter, it is. Faber claims the dollar “may appreciate another five to 10% against the euro in the ‘near term’ as bearish betting on the greenback becomes too crowded.” The report stated that the dollar has gained 4.2% to $1.4396 per euro this month.
  • A beef recall has been initiated in six states. The U.S. Agriculture Department traced the E. coli bacteria in the meat to National Steak and Poultry, an Oklahoma-based meat packing company. The company then began a voluntary recall of 248,000 pounds of beef products in Colorado, Iowa, Kansas, Michigan, South Dakota and Washington state.
  • The U.S. is now more tsunami-ready than ever before. According to the Insurance Information Institute, since the devastating Indonesian tsunami in 2004, the U.S. has “significantly expanded its tsunami detection capabilities and broadened municipal awareness of this natural disaster.”

Find an interesting link? Email any stories, videos or images you come across and would like to see included. Or just follow me on Twitter @RiskMgmtMonitor and pass it along that way.

RiskCast: Episode 3

The editors of Risk Management gathered once again to discuss recent, interesting risk management stories. From discussions about the nation’s dirty drinking water, to the “Iranian Cyber Army’s” attack on Twitter, to the risks and benefits of the new LED traffic lights, to the risks of incorporating wild animals with your entertainment act — you’ve got it here in the third entertaining installment of RiskCast.

And remember, you can also subscribe to the RiskCast through iTunes by clicking this link or searching for “RiskCast” in the iTunes store. Please let us know what you think by ranking us or giving us a review on iTunes.


Let us know what you think!