TJX and Heartland Case Studies
Between 2007 and 2009, team members from Carnegie Mellon University's Software Engineering Institute collaborated with the U.S. Secret Service to collect evidence and create forensic images of the computers involved in the TJX and Heartland cases.
Cyber Crime Is a Growth Industry
In August 2008, 11 people were charged with the theft of more than 40 million credit and debit card numbers from T.J. Maxx, Marshall's, Barnes & Noble, OfficeMax, and other major retailers. Masterminded by computer hacker Albert Gonzalez, the case remains one of the largest frauds of credit card information in history.
The Heartland case was similar to the TJX case. Between 2007 and 2009, the data breach involved the Heartland Payment Systems, the fifth largest credit card processor in the United States. During that time, Gonzalez and co-conspirators gained access to information associated with millions of credit cards by exploiting a network vulnerability.
Both cases—Heartland and TJX—involved the theft of over 130 million credit and debit card numbers, making it the biggest computer crime case ever prosecuted in the United States.
A New Tool Simplifies Data Analysis in Cyber-Crime Investigations
Digital Intelligence and Investigation (DIID) Team members from the SEI's CERT Division aided the U.S. Secret Service (USSS) in collecting evidence and creating forensic images of the computers used by Gonzalez and his co-conspirators. Due to the large volume of the collected data, analyzing it required a collaborative effort with the Clustered Computing Analysis Platform (C-CAP), which is a tool that stores collected data in one central location. DIID team members assisted the USSS in its investigation by providing expertise in working with the encrypted data and sophisticated configurations used by the attackers.
Since existing tools used to discover compromised credit card and financial account numbers produced many false positives, the DIID team also developed a new tool called CCFinder. CCFinder is more effective than previous tools at finding and validating account numbers and eliminating duplicate numbers. Maintaining a "pedigree" that shows all the locations in which each number was found, CCFinder reveals how stolen numbers were traded. After an initial theft, financial account numbers are often shuffled, split into chunks, and sold; CCFinder aids in tracing the source of the original theft. CCFinder simplifies the analysis stages of an investigation, given the volume of data files that are related to these types of financial crimes. "CCFinder was a big deal when we were working with 3 million account numbers," said team member Matthew Geiger. "Then we quickly went from there to 45 million in the TJX case."
In September 2008, Representatives John Murtha, Mike Doyle, and Jason Altmire recognized the team's efforts on TJX during a visit to Carnegie Mellon University. "CERT's role in this landmark case underscores its importance in computer security over the past 20 years," said Murtha.
June 29, 2010 Podcast
In this podcast, participants recount complex, distributed, multi-year investigations of computer crimes using sophisticated methods, techniques, and tools.listen