Inside the TJX/Heartland Investigations

With the recent sentencing of the last of Albert Gonzalez' co-conspirators in the TJX and Heartland data breaches, a long, hard criminal investigation comes to a close.

In an exclusive interview, Kim Peretti, former senior counsel with the Department of Justice, offers an inside look at these investigations, detailing:

How the investigations unfolded from beginning to end;
The significance of the conspirators' sentences;
Lessons learned from these cases.

Peretti is a former Senior Counsel in the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice, located in Washington, DC.

At the Department of Justice, Peretti investigated and prosecuted multi-agency and multi-district computer crime and financial fraud cases, especially those involving large scale data breaches, identity theft, and online payment systems. She was co-lead prosecutor in the Department's largest hacking and identity theft case ever prosecuted - a case in which several members of an international retail hacking ring were convicted of stealing over 40 million credit and debit cards. She also co-led the benchmark prosecution of a global internet-based payment system convicted of money laundering and illegal money transmitting.

TOM FIELD: Let's look back on the Albert Gonzalez prosecution and sentencing. What does it all mean? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm talking today with Kim Peretti, formerly the Department of Justice prosecutor who led the prosecution of Albert Gonzalez. Kim, it's such a pleasure to catch up with you.

KIM PERETTI: Thanks, Tom. I really appreciate the opportunity to talk with your members today.

FIELD: Well, Kim, it's been about a month now. Gonzalez and his conspirators have all been sentenced. What is the significance of these penalties now that they have finally come down?

PERETTI: Well, it is certainly significant because of the length, and particularly of Gonzalez's sentence of 20 years. It's the longest ever identify theft or cybercrime sentence that I'm aware of. So hopefully, it will have an impact on the broader hacking community and will certainly act as a general deterrent. You know, in looking back at the eight years that I was prosecuting these types of crimes, it may also be a signal that we'll start seeing and continue to see longer sentences for these types of financial cyber crimes in particular. I recall earlier in my career that I would be at one sentencing after another where the judges would certainly explain that this was significant type of crime, but at the end they would sort of choose the balance of special deterrence over general deterrence, which would result in looking at the individual more and saying, "Well. I'm going to give you a second change. I'm going to give you probation," or just a very minimal time in prison. Whereas in this recent string, each judge really made it clear in the record the importance here of general deterrence and sending a message to the community about how significant this is. Now it certainly was one of the biggest conspiracies. I think even one judge said this must be the only time when he's on the bench that he will see a $400 million conspiracy, but the individuals were the same that I've seen throughout my career before judges -- you know. young 20s, when this crime occurred, good background, and this set of cases really saw that general deterrence be prominent.

FIELD: Well, Kim, you put it in prospective when you talk about having devoted eight years to this, and I know that certainly the Gonzalez prosecution -- you've been involved with Gonzalez for a number of years. Looking at this in perspective, what was the hardest part about the Gonzalez prosecution?

PERETTI: Well, there were three really challenging aspects to this. One was the identification of the individuals. The second was building on developing cases just based on technical facts and forensic information. And the then the third was the international aspect. So let's walk through each of those. With the identification, we were trying to put identities basically to internet numbers. Cybercrime has evolved such that, in the shadow crew days early 2003, 2004, we were chasing nicknames on the internet, which was hard but easier than chasing numbers. A lot of times what we are chasing now is ICQ numbers and using numbers to register in chat sessions. And they can change those numbers every five days, every five weeks, so we've got a string of numbers evidence revealing a string of numbers of someone committing a crime, but getting back to the person is very difficult. It often requires us to weave in a number of factors, anonymous digital currency accounts, drop boxes, registration information -- you know, looking for subtle hints in the chats themselves about identity. Maybe this reference where they go on vacation or maybe they reference a birthday ... so we always have to just pull in lots of pieces to try to identify these individuals. The second part is building a case on technical facts. Anticipating if it goes to trial, what is this going to look like at trial? And when I was preparing for the New York part of this case, getting the witnesses lined up, realizing that I have five forensic witnesses, forensic individuals, involved agents, or otherwise, and how is that going to appear to the jury? The jury likes to hear stories of what happens in our physical world, and if you present them with one technical fact after the other, a jury or a judge is really likely to get confused. In the Gonzalez case, part of it involved matching malware, the hash value on malware, to hash value found on servers, with hash values found on victims, and then linking corporate victims together by malware found on their system by hash value. So, you know translating that into English anticipating the trial is very, very difficult. The third aspect is the international aspect, and again the Gonzalez cases had significant international connections, and that means foreign co-conspirators, foreign witnesses, foreign evidence, and evidence stored on foreign servers, or servers stored in foreign countries. And all of that makes these types of prosecutions extremely challenging. Then to build in, you've got foreign communication, so you're reviewing evidence of maybe a slang dialect in a particular eastern European country... So, really the communication aspect is another part that makes it pretty challenging.

FIELD: Well, it sounds like you've earned the graduate degree. Kim, but I'm not sure what it is in.

PERETTI: Certainly some sort of language.

FIELD: Kim, give us some insight if you can -- walk us through. I'm assuming this goes back as far as the TJX breach or even further. How exactly does an investigation like this unfold? If you could just take us sort of from the incident to the sentencing, it would be an education.

PERETTI: Sure, sure. The way I think of it is it unfolds very, very slowly. You know it's piece by piece; it's just like a puzzle maybe a 500-piece puzzle. You get little pieces of data along the way, and what has been significant in these cases and solving these cases is working with historical data. The Secret Service does a phenomenal job of keeping the historical information in sort of place where it is easily accessible and searchable. We had pulled up information from a laptop computer seized from an Estonian in Spain for instance. There were pieces on that laptop that were very helpful.

Again, a couple a more examples: registration data on one of the chat accounts that was used. There was registration data on there that two pieces of registration data and one from early on had matched, it was an email address that Albert Gonzalez had used when we first arrested him in 2003, and that was on his laptop. That was sort of one of those critical moments -- we're sort of in the right direction now. Another example I could give is there was one chat where Gonzalez was talking about someone who had been arrested. At that time we didn't know it was Gonzalez, but had this chat of this person who had been talking about the breach in both TJX and Dave and Busters, and then he mentions to his co-conspirator, "I just got a buddy that was arrested yesterday, can you help me? I might need to get a passport for him." So then, it's this search and chase - 'well, who in this community, do we have any information of an individual that was arrested?' The service did a great job. They found the individual. We were able to locate that individual's hard drive when he was arrested years before that, and on that hard drive was a reference to Gonzalez. So there is another connection that was made.

At the end of the day, at some point, there are just so many connections you feel the critical path is there. That at least you've established probable cause, and once you've established probable cause and you can put together your search warrants for particular locations that might be evidence of criminality, and that's what we did in this case and searched several locations down in Florida. Then we were able to get a hold of some co-conspirators, and co-conspirators made statements, and one of the statements was very helpful for our Eastern District of New York case, which enabled us to immediately get a complaint and a subsequent indictment on Albert Gonzalez in the Eastern District of New York. Then several months later the other cases, the evidence developed and unfolded such that there is ability to indict him on other cases. So it really was a progression, and looking back on it, all those pieces of evidence along the way of other unrelated individuals at the times starting back in 2004, you know going back through those hard drives they had critical pieces of information that we were able to sort of tie this whole maze together and put all the pieces together.

FIELD: So Kim, just to take it a step further, how were you able to go from amassing that evidence to having such a compelling case that the conspirators really had no choice but to plead guilty and then to get the sentencing that you did?

PERETTI: Well, I've never had one these type carding cases go to trial yet, because usually the evidence is so good, and it's more of: Once they are caught, they know they are caught. In this case, when you have chats that you have a very good link to who was the person doing the communication, and then you have the communication actually saying, "I'm hacking into this system" ... that is pretty compelling evidence. Through the process of discovery, when they start to see the evidence, and then what you try to do is have one of the lower persons involved in the conspiracy start talking. And once one person starts talking, it can be like a domino effect. The story unravels further, and no one wants to be the last man standing, so to speak.

FIELD: So, Kim, after all this is done, everybody has been sentenced now, let's talk about lessons learned. What did you gain from this exhausting experience?

PERETTI: Well, certainly one of the most important things I think is to gain insight into the criminals. Important to understand their techniques, but also to put perspective on what type of actor has the ability to get into all of our systems? Are you we dealing with organized crime as we know it? Are we dealing with very sophisticated 40-year-olds who have had 20 years of training? Are we dealing with nation state actors? And one helpful piece of information we gain looking at these criminals is that they certainly were sophisticated in some ways. They were able to be self-taught. At least the stateside individuals are not necessarily highly educated, not formally trained. On computers they were self-taught, but they were also immature in other ways. I read hundreds if not thousands of pages of chats of jibberish chat, drug use, talking about discos, talking about rap songs and girls, and being asked out on a date while they are chatting. You know hundreds of pages, and then maybe 99 pages later there is a chat of, "I just hacked into the system." So I think that gives good insight of the type of criminal actor that is able to get and penetrate into so many of our systems in the financial area. That is one particularly helpful piece of insight. We contrast that with the co-conspirators in Eastern Europe, which we saw it to be more educated, more formally educated, maybe going to some of the best mathematical schools or computer science schools, and also even at a young age having really taking their money, which they were earning hand over fist, and investing it. Buying -- one bought a housing development, one bought a hotel and a restaurant, so you know that is very helpful to understand that there is really a huge industry that is very profitable for a number of people across the Atlantic. But on the positive side for law enforcement, I think it was incredibly significant as a message to the outside world that law enforcement can catch even the most sophisticated of cyber criminals no matter where they are.

FIELD: Well, Kim, what is next for you now?

PERETTI: Well, I mean next for the people to keep an eye out for, and I sort of see this as the point of sale systems problem that we have, we continue to see sort of unabated compromises of these point of sale systems across every vertical vector in the payment card area. So, I think we'll really need to stay on top of the criminals as they are changing their techniques, maybe not going after large masses with large volumes of track data, but targeting smaller entities in different sectors, but still going after those point of sale systems. We'll also need to keep plugging away at better methods to protect our systems against these continuous attacks. So I think that we keep all of us busy for a while. Of course we haven't even touched upon the sophisticated phishing and ACH fraud, which is also another thing to continue to be focused on, but we could pick up another podcast talking about those issues.

FIELD: Thank you, and how about for yourself personally? I understand you've left the Department of Justice. What do you want to do next?

PERETTI: I have left the department, and I'm transitioning over to the private sector, where I started from eight years ago. Less on the legal side and more on the consulting side, and I'm really excited to be able to take this knowledge that I've gained and share it with companies and hopefully provide some value doing that.

FIELD: Well, I bet we talk about these issues again Kim. I appreciate your time and your insight, and I wish you well.

PERETTI: Thank you very much, Tom.

FIELD: We've been talking with Kim Peretti, formerly the Department of Justice. For Information Security Media Group, I'm Tom Field. Thank you very much.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.