Just read an article from Wired about Albert Gonzalez pleading guilty last week to orchestrating the largest computer hacking crime in U.S. history. During his trial, Gonzalez told prosecutors that he, along with at least two other Russian accomplices, breached at least four card processing companies, a series of foreign banks, a brokerage house and several retail store chains. Among these retailers includes TJX, Hannaford Bros, BJ’s Wholesale Club, 7-Eleven, Dave & Busters restaurant chain, and at least two other national retailers that haven't been named. Altogether, he is responsible for stealing more than 130 million credit cards.
While he is currently awaiting sentencing (scheduled for Dec. 21) it is expected that he will only receive between 15 to 25 years in prison, despite the fact that he is eligible for life imprisonment. Apparently, he's bee quite cooperative with prosecutors about identifying others involved in this breach:
The document reveals that six months after his May 2008 arrest, Gonzalez located and provided prosecutors with the “complicated” and “lengthy” password to decrypt his laptop, which contained “a vast array of historical data and communications” that helped the government indict other members of Gonzalez’s team, and could be used in future search warrants. It also reveals that Gonzalez drew prosecutors a map that helped them find more than $1.1 million that he had buried in his parents’ backyard.
I guess burying dough in your parents yard is really one of your only options when you have that kind of cash on hand. I sure hope law enforcement remembered to check his mattress.
While this is certainly a massive breach of IT security, how much of this should concern physical security folks? As IT and physical security departments continue on this road to convergence (in which there's no turning back, I'm afraid), I would say more and more physical security professionals are going to have to be proficient in the vulnerabilities of both aspects of security. As a matter of fact, I think the security professional of the future may even have, let's say, a degree in computer science over criminal justice? That's pure speculation on my part. Apparently, Gonzalez wants to help corporations protect themselves, against, well, people like him:
“Gonzalez made complete disclosure of information ranging from how weaknesses in the corporate security systems were identified, how data was exported from the companies, how it was stored on foreign servers in the Ukraine and Latvia, how stolen data was de-encrypted and by whom, how profits were received via web-currency, who was involved in the flow of currency, and the identities of two persons who were used as couriers of money to Gonzalez,” according to the document.
By identifying intrusions that “had not yet been detected,” his lawyer wrote, Gonzalez helped the companies institute protective measures to secure their data and prevent future breaches.
And, as a side note, the only reason there is so much information about the details of this case is because someone improperly redacted the sentencing document. This inability to properly redact information is apparently becoming a trend.