Hackers penetrated a large retailer's central database and stole at least 45 million credit card and debit card numbers along with 456,000 customers' personal information. Fraudulent charges approaching $100 million appeared around the world. The worst part? The company essentially rolled out the red carpet to the hackers by not installing industry-standard safeguards.
This article is excerpted and adapted from "Computer Fraud Casebook: The Bytes that Byte," edited by Joseph T. Wells, CFE, CPA, to be published in January, 2009 by John T. Wiley & Sons Inc.
According to nationwide news reports, hackers pointed a telescope-shaped antenna toward a U.S. retail store. A laptop computer helped decode data streaming through the air among handheld inventory management devices, cash registers, and store computers. From there, the hackers found their way into the company's central database at its headquarters more than 1,000 miles away. The hackers' entry point was an outdated wireless network connected to a computer system plagued with a host of data security shortfalls.
What followed was one of the biggest data-security breaches in history. At least 45 million credit card and debit card numbers were stolen, along with approximately 456,000 customers' driver's license, state, or military identification (personal ID) numbers with accompanying names and addresses. Many of the personal ID numbers were the same as the customers' Social Security numbers.
The hackers sold much of the stolen data on Web sites used to traffic stolen information. One cardholder's account experienced unauthorized transactions at a large discount store and at online vendors. Another account had $45,000 in fraudulent charges for gift cards. Fraudulent charges approaching $100 million surfaced throughout the United States and as far away as Mexico, Italy, Sweden, Thailand, China, Japan, and Australia.