> series: anatomy_of_a_breach —— part: 008 —— subject: albert_gonzalez —— cards_stolen: 174,000,000 —— sentence: 20_years<span class="cursor-blink">_</span>_
In August 2009, a federal grand jury in New Jersey handed down indictments that connected the dots between several of the largest data breaches in history. At the centre was Albert Gonzalez — a 28-year-old from Miami who had, remarkably, been working as a paid informant for the US Secret Service while simultaneously orchestrating the theft of 174 million payment card numbers across multiple major corporations. The indictments covered TJX Companies (94 million cards), Heartland Payment Systems (130 million cards), Hannaford Brothers (4.2 million cards), and 7-Eleven — making Gonzalez responsible for the largest combined card theft ever prosecuted.
Gonzalez was not a lone wolf. He operated with a network of international co-conspirators, including two unnamed Russian hackers, and coordinated operations across multiple countries. The Department of Justice called it 'the largest hacking and identity theft case ever prosecuted.' Gonzalez would ultimately be sentenced to 20 years in federal prison — the longest sentence for computer crime in US history at the time.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallGonzalez's methodology was remarkably consistent across all four breaches. He exploited the same vulnerability class — SQL injection — to gain initial access to corporate networks, then deployed the same tools — custom sniffer malware — to capture payment card data as it was processed. The consistency of the attack pattern underscores a critical point: these were not four different attacks requiring four different defences. They were the same attack, repeated four times, against four organisations that all had the same vulnerability.
| Target | Entry Point | Cards Compromised | Year |
|---|---|---|---|
| TJX Companies (TK Maxx) | Wardriving — WEP-encrypted Wi-Fi at a Marshalls store in Miami | 94 million | 2005–2007 |
| Heartland Payment Systems | SQL injection in an eight-year-old web login page | 130 million | 2007–2008 |
| Hannaford Brothers | Malware installed on in-store servers to capture card data during authorisation | 4.2 million | 2007–2008 |
| 7-Eleven | SQL injection against corporate systems | Undisclosed | 2007–2008 |
Perhaps the most extraordinary aspect of Gonzalez's story is his dual role. After being arrested in 2003 for his involvement in the ShadowCrew criminal forum — which trafficked in stolen card data — Gonzalez became a paid informant for the US Secret Service. He provided information that led to the arrest of other cybercriminals, while simultaneously continuing to orchestrate massive card theft operations of his own. His Secret Service handlers were unaware that their informant was conducting the very crimes he was helping them investigate.
This dual existence continued until 2008, when the Secret Service — investigating suspicious transactions flagged by Visa and MasterCard at Heartland — eventually traced the trail back to Gonzalez himself. The arrest of one of the most prolific cybercriminals in history by the same agency he was working for remains one of the most remarkable episodes in the history of cyber law enforcement.
Gonzalez's four-breach campaign teaches a single, powerful lesson: the most damaging cyberattacks exploit the most basic, well-understood vulnerabilities. SQL injection is not exotic. WEP cracking is not sophisticated. Sniffer deployment on unsegmented networks is not novel. Yet these known, preventable weaknesses — combined with inadequate monitoring and slow detection — enabled the theft of 174 million payment card records and caused hundreds of millions of pounds in losses.
Every one of Gonzalez's attacks would have been prevented or detected early by the controls that Hedgehog Security assesses and implements for our clients: web application testing to find SQL injection, wireless testing to identify WEP and other weak encryption, infrastructure testing to validate network segmentation, PCI DSS assessment to verify payment security controls, and continuous SOC monitoring to detect the months of lateral movement and data exfiltration that preceded every discovery. For incident response when a breach is discovered, UK Cyber Defence provides the forensic capability to investigate, contain, and support prosecution.
In March 2010, Albert Gonzalez was sentenced to 20 years in federal prison — the longest sentence ever imposed for computer crime at the time. He is not scheduled for release until 2025. His case established legal precedents for the prosecution of cybercrime at scale and demonstrated that sophisticated, organised card theft operations could be investigated, attributed, and successfully prosecuted across international borders. The financial industry's response — accelerated PCI DSS adoption, end-to-end encryption initiatives, and increased investment in monitoring — was driven in large part by the scale of Gonzalez's crimes.
SQL injection, weak wireless encryption, missing segmentation, and absent monitoring — the same vulnerabilities that enabled 174 million card thefts still appear in our penetration testing findings. The tools have changed. The vulnerabilities have not. Test yours before someone else does.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call