WASHINGTON — A former government informant known online as “soupnazi” stole information from 130 million credit and debit card accounts, including those used at a Maine based supermarket chain, in what federal prosecutors are calling the largest case of identity theft yet.
Prosecutors said Monday that Albert Gonzalez, 28, of Miami broke his own record for identity theft, though his exploits ended when he went to jail on charges stemming from an earlier case involving 40 million accounts.
Gonzalez is a former informant for the U.S. Secret Service who helped the agency hunt hackers, authorities said. The agency later found out that he had also been working with criminals and feeding them information on ongoing investigations, even warning off at least one individual, according to authorities.
Gonzalez, who is already in jail awaiting trial in a hacking case, was indicted Monday in New Jersey and charged with conspiring with two other unnamed suspects to steal the private information. Prosecutors say the goal was to sell the stolen data to others.
How much of the data was sold and then used to make fraudulent charges is unclear. Investigators in such cases say it is usually impossible to quantify the impact of such thefts on account holders.
Prosecutors say Gonzalez, known online as “soupnazi,” targeted customers of convenience store giant 7-Eleven Inc. and supermarket chain Hannaford Brothers Co. Inc. He also targeted Heartland Payment Systems, a New Jersey-based card payment processor.
According to the indictment, Gonzalez and his two Russian coconspirators would hack into corporate computer networks and secretly place “malware,” or malicious software, that would allow them backdoor access to the networks later to steal data.
Gonzalez faces up to 20 years in prison if convicted of the new charges. His lawyer did not immediately return a call for comment.
Gonzalez is awaiting trial next month in New York for allegedly helping hack the computer network of the national restaurant chain Dave and Buster’s.
The Justice Department said the new case represents the largest alleged credit and debit card data breach ever charged in the United States, based on a scheme that began in October 2006.
Gonzalez allegedly devised a sophisticated attack to penetrate the computer networks, steal the card data, and send that data to computer servers in California, Illinois, Latvia, the Netherlands and Ukraine.
Last year, the Justice Department announced charges against Gonzalez and others for hacking retail companies’ computers for the theft of approximately 40 million credit cards. At the time, that was believed to be the biggest single case of hacking private computer networks to steal credit card data, puncturing the electronic defenses of retailers including T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax.
Prosecutors charge Gonzalez was the ringleader of the hackers in that case.
At the time of those charges, officials said the alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop computer and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called “sniffer programs” that captured credit and debit card numbers as they moved through a retailer’s processing networks.
Gonzalez faces a possible life sentence if convicted in that case.
Restaurants are among the most common targets for hackers, experts said, because they often fail to update their antivirus software and other computer security systems.