A 26 year-old Georgia man pleaded guilty in federal court in Virginia to the theft of hundreds of thousands of credit cards and a years-long fraud scheme that netted him more than $100,000 in illicit profits – money he used to buy himself a BMW and luxury clothing.
Rogelio Hackett of Lithonia, Georgia, admitted to stealing 676,443 credit card accounts and selling that information online. Credit card companies say that stolen accounts were linked to tens of thousands of fraudulent charges that total close to $37 million. Hackett could face ten years in prison and fines of $500,000 when he is sentenced and be asked to make restitution to credit card companies for the tens of millions of dollars in losses, according to a signed statement (PDF) from the U.S. Attorney.
According to a statement of facts, signed by Hackett, his crime spree began in the late 1990s. A talented hacker, Hackett searched out vulnerable SQL databases online and exploited security vulnerabilities in them to gain access to credit card data.
His exploits include a 2007 attack on an unnamed “on-line ticketing services provider” that resulted in the theft of credit card information for 359,661 accounts.
Hackett also admitted to buying and fencing stolen credit card account information in carder forums online. Hackett received more than $70,000 from selling stolen credit card information between 2002 through 2009, and more than $100,000 in all from his schemes. That money was used to buy luxury goods including a BMW X5 automobile and $450 Louis Vuitton shoes, according to a statement from the U.S. Attorney.
Hackett came to the attention of the U.S. Secret Service, which was patrolling Internet Relay Chat (IRC) channels in pursuit of leading figures in the carding underground. In June, 2009, he sold a total of 40 counterfeit credit cards for $1,180 to an undercover U.S. Secret Service agent. A subsequent raid of Hackett’s residence turned up equipment for making counterfeit credit cards and the stolen credit card data.
The recent Verizon Data Breach Investigation Report (DBIR) found that reports of credit card theft collapsed in 2010 to just 4 million records, from 144 million in 2009. Despite that, reports of data breaches involving the theft of credit card information are still common. In recent months, reports of theft involving credit cards have turned up from organizations as diverse as the sightseeing company CitySights and engineering professional organization IEEE. While no Federal data privacy law exists, there has also been movement on enforcing state data privacy laws. The Massachusetts Attorney General announced a $110,000 penalty for The Briar Group LLC, the first firm sentenced under that state’s data breach law.
