On August 17, the US Attorney’s Office for the District of New Jersey charged Miami native Albert Gonzalez and two other men in what the Department of Justice is calling “the largest hacking and identity theft case ever prosecuted.” The indictment alleges that Gonzalez and some unnamed co-conspirators stole over 130 million debit and credit card numbers in a scheme to breach the data security systems of a number of companies, including Heartland Payment Systems, 7-Eleven, and Hannaford Brothers. Gonzalez also is separately facing trial in the District of Massachusetts for alleged his role in the much-publicized “TJX” data breach.
The Gonzalez case should serve as a cautionary tale about an alarming trend in the ever-increasing size of data breaches and sophisticated identity theft schemes. As recently as September 2004, for example, the US Attorney’s Office for the Southern District of New York announced the guilty plea of Philip Cummings to charges relating to an identity theft scheme that was, at the time, hailed as the “largest identity theft case in [the] nation’s history.” Cummings and his accomplices were charged with unlawfully stealing the credit reports of more than 30,000 people. (Full disclosure: one of the authors of this post, Marcus Asner, led the Cummings prosecution while serving as an AUSA in the SDNY.) Subsequently, in February 2005, ChoicePoint announced the theft of data pertaining to 145,000 individual victims, and, in August 2008, DOJ announced the TJX data breach that involved the theft of 40 million debit and credit card numbers. Then-Attorney General Mukasey called the TJX case the single largest and most complex identity theft case ever charged in this country.
To be sure, not all data breaches are equal. By stealing individual victims’ credit reports, for example, Cummings and his co-conspirators potentially gained far greater access to each individual victim’s credit. The Cummings prosecution also appears to be larger than some other data breach cases in terms of number of defendants prosecuted (over 20) and estimated loss (over $100 million). That said, the increase in the number of victims potentially affected from case to case is staggering. Even assuming, to make the contrast, that each individual victim in the Cummings scheme had 10 accounts listed in his or her credit report, the most recent Gonzalez breach would have affected over 400 times as many accounts as Cummings and his co-conspirators did.
This trend underscores an unsettling danger for businesses: With increased reliance upon centralized web-based financial data repositories, companies may be vulnerable to wider breaches, giving rise to greater liabilities, than ever before. Victim companies whose security systems have been breached may face civil liability from affected persons and companies, as well as civil penalties from state and federal governments. For example, in June, TJX announced that it had reached a settlement with 41 states worth $9.8 million over the data breach allegedly spearheaded by Gonzalez that exposed its customers to potential identity theft fraud. TJX’s settlement with the states paled in comparison to the nearly $65 million combined it agreed to pay Visa and MasterCard for payments to credit and debit card issuers for costs associated with the breach. And late last week, just days after the Gonzalez indictment was announced, alleged victim Heartland Payment Systems was hit with an amended class action complaint filed in New Jersey federal court alleging that the company misled shareholders about vulnerabilities in its data security systems.
The Gonzalez indictment and investigation further demonstrates the enhanced law enforcement coordination efforts that can be expected from the Department of Justice under President Obama. With the recent emergence of more sophisticated hacking techniques and new e-data vulnerabilities, we have seen an explosion in reported data breaches. These breaches are made all the more difficult to identify and prosecute because large-scale identity thefts frequently are perpetrated by global theft rings. As outlined in an Arnold & Porter advisory on Obama’s appointment of a “cyber czar”, such coordinated multi-agency, multi-jurisdictional investigations are likely to increase in both frequency and scope under the aegis of the Administration’s new Cybersecurity Coordinator.
