10 Massive Security Breaches

The Department of Justice announced Thursday that an accused hacker has pleaded guilty to "trafficking in counterfeit credit cards and aggravated identity theft."

The accused, Rogelio Hackett Jr., 26, who's from the country of Georgia, faces 12 years in prison and $500,000 or more in related fines.

According to court documents, "a federal search warrant executed on the defendant's residence on June 30, 2009, located 676,443 stolen credit card accounts on the defendant's computers and in his email accounts." Authorities said they also found 100 counterfeit cards, and the equipment required for making such cards, including "an embosser, a tipper, and a credit card printer."

Credit card companies said that the stolen numbers--which Hackett would largely have sold to criminals--generated fraudulent charges that totaled $ 36.6 million.

Hackett began hacking for profit in 2002, after demonstrating his skills in Internet Relay Chat (IRC) chat rooms in the late 1990s, and regularly exploited SQL database vulnerabilities to access and download credit card information, said prosecutors. According to court documents, for example, Hackett broke into the database of an unnamed online ticketing services provider and stole 359,661 pieces of credit card data. Prosecutors also said that Hackett himself began buying stolen credit card information over the Internet from people in the United States, Ukraine, and Russia, beginning in May 2008.

Selling credit card data can be a lucrative business, with prosecutors estimating that Hackett's total haul was more than $100,000. As a result, he was able to rely on "carding"--selling credit card data--and identity theft as his only sources of income for several years before his arrest.

How much is stolen credit card data worth? Hackett charged between $20 and $25 per stolen account, netting more than $70,000 from selling stolen credit card before his arrest, and also received between $30,000 and $50,000 via fraudulent Western Union orders, said prosecutors. In addition, he'd sometimes swap stolen credit cards to criminals who then purchased gift cards for him.

Hackett's sales of credit card data came to the attention of the Secret Service via IRC chat rooms and carding forums, said prosecutors. His undoing ultimately came from selling 25 counterfeit credit cards for $630 to an undercover Secret Service agent in June 2009, followed by a sale of 15 cards for $550 to another agent.

While Hackett was arrested in 2009, credit data continues to be a prized commodity. Kaspersky Lab senior security researcher Kurt Baumgartner, speaking at a press event earlier this year, said that "the most valuable data right now is related to quick returns: credit card numbers, mother's maiden name, date of birth, how recently the credit card was stolen, how much it's worth."