Profile of a hacker: How the "soupnazi" did it

The man allegedly behind the biggest identity theft ever did it through a fairly simple ploy

Published August 18, 2009 12:19PM (EDT)

Monday, one of the most brazen hackers in American history was indicted in federal court in New Jersey. Federal authorities allege that Albert Gonzalez, along with two unnamed Russian associates, engineered one of the largest credit card and identity theft schemes in history. But this is hardly Gonzalez's first run-in with authorities over cyber-crimes. Here's a snapshot of Gonzalez and his short but startling history of plaguing American businesses and consumers.

Profile of a hacker

Name: Albert Gonzalez

Age: 28

Online pseudonyms: segvec, soupnazi, Cumbajohnny and j4guar17

Current co-conspirators: Two men from Russia who authorities did not identify by name.

Past criminal affiliations: Leader of Shadowcrew, an online credit-card hacking ring. In 2004, 26 of the 4,000 members of the hacking crew were arrested and convicted.

Gonzalez's hacking timeline

2003: Gonzalez was arrested for hacking but not charged with a crime because he agreed to work as an informant for the Secret Service on cyber-crimes. Yet, according to the Justice Department, he was again engaging in illicit activities fairly soon after his arrest.

October 2004: The government arrests members of the Shadowcrew. Gonzalez was the alleged leader of this hacking group.

November 2004: Gonzalez is allowed by the government to move from New Jersey to Florida. He then begins his hacking of Dave & Buster's restaurant chain.

October 2006-May 2008: Gonzalez and his associates targeted Fortune 500 companies with network security problems. He allegedly stole over 130 million credit and debit card numbers from Heartland Payment Systems Inc., a credit card payment processor, 7-Eleven, a national convenience store chain, and Hannaford Brothers Co., a supermarket chain. He was indicted for his leadership in this hacking ring Monday. Heartland is the world's 9th largest credit card processor.

May 2008: Gonzalez has been in custody since May 2008 when he was arrested for data theft at Dave & Buster's.

August 2008: Gonzalez is indicted for improperly probing the networks of many major U.S. retailers including TJX Companies (owner of TJ Maxx), BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. At the time, it was thought to be the largest individual instance of credit card data theft via the hacking of private computer systems, as nearly 40 million card numbers were stolen. Authorities have said the breach cost TJ Maxx close to $200 million.

August 2009: Gonzalez and two unnamed associates are charged in federal court in New Jersey with running the largest credit card and identity theft hacking operation ever prosecuted. Gonzalez was already awaiting trial in New York for his hacking of the network at Dave & Buster's restaurants and in Massachusetts for his penetration of TJX Companies.

How he did it

By all accounts, what makes Gonzalez's success so terrifying for consumers is that his alleged hacking ring was not very sophisticated. Officials have said Gonzalez used a technique called "wardriving," in which he and his associates travel to different areas searching for accessible wireless Internet networks. They then hacked into these networks, installing "sniffer programs" and "malware" software that allowed them to steal credit and debit card numbers from retailers. Gonzalez exploited holes in the SQL programming language used by many databases.

In the charges brought against Gonzalez on Monday, authorities said that once Gonzalez and his co-hackers captured the personal data, they'd send the information to computer servers in California, Illinois, Latvia, the Netherlands and Ukraine. Gonzalez would either then sell the numbers online or make purchases or unauthorized withdrawals from the banks the cards were linked to.

Gonzalez and his associates face anywhere from 35 years in prison to possible life sentences if convicted on all the charges currently brought against them. They also may have to pay more than a $1 million in fines.

What consumers should know:

  • According to identity theft experts, restaurants are particularly attractive for hackers because they seldom update their anti-virus software and other computer security systems.
  • Not all states require companies to notify consumers once their information has been compromised. It is unknown whether those affected by Gonzalez's heist were ever even alerted.
  • If you're worried about identity theft, you should check the government's site here.


By Vincent Rossmeier

Vincent Rossmeier is an editorial assistant at Salon.

MORE FROM Vincent Rossmeier

Related Topics ------------------------------------------