A View from David Talbot
Prosecutors Describe Massive Breach of Credit Card Data
A giant case shows Russian hacker gangs remain a potent force, and provides fuel to arguments for mandatory sharing of computer attack information between industry and government.
A record-smashing, long-running data breach that involved 160 milllion credit and debit card numbers—stolen from Heartland Payment Systems, 7-Eleven, Carrefour, JC Penney, Hannaford, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard—is likely to buttress the arguments for greater sharing of computer security information between companies and law enforcement agencies.
In announcing indictments Thursday, a federal prosecutor in New Jersey, Paul Fishman, called it “the largest hacking and data breach scheme ever prosecuted in the United States.”
Given that we’ve been reading about these massive breaches for years, it’s hard to see where existing security protections are really working. House Republicans have been pushing a cybersecurity bill, known by the acronym CISPA, aimed at breaking down barriers to sharing intelligence on cyber threats between businesses, government, and law enforment. But the bill, which the House passed earlier this year, allows private businesses to share customers’ personal information with government agencies, including the National Security Agency. President Obama has threatened to veto it, but hasn’t needed to. The Senate didn’t pass it, so it never reached his desk.
While Washington is as paralyzed as ever, cyber-criminal gangs are anything but. The indictments are a reminder that while there’s been plenty of evidence of Chinese involvement in data-thefts, (see “Expose of Chinese Data Thieves Reveals Soppy Tactics,” ) it’s hard to top Russian criminal networks when it comes to straight-on cybercrime (see “Moore’s Outlaws”). The accused include four Russians and a Ukrainian.