WASHINGTON (8/18/09)--Credit unions who lost funds in data breaches at major retailers and payments processors the past three years will be interested in the indictment Monday of a Miami, Fla., man and two Russian-citizen cohorts for the biggest data breaches in history: Heartland Payment Systems, Hannaford Brothers Co. and more. The Justice Department is calling the Heartland-Hannaford indictment "the single largest hacking and identity theft case ever prosecuted." The hackers stole more than 130 million credit and debit cards numbers from the Princeton, N.J.-based card processor Heartland and the Maine-based grocery chain Hannaford combined. Thousands of credit unions and other financial institutions were forced to reissue credit and debit cards whose numbers and personal information were compromised in the data thefts. The true cost to credit unions of the breaches cannot be estimated, because the card companies have the actual loss figures but never report them, said CUNA Mutual Group Media Relations Manager Phil Tschudy. "We insure most, but not all credit unions, and not all losses are reported to us because of changes we made to deductible limits." Reporting losses from only CUNA Mutual's insured credit unions would "be significantly understated and a bit misleading," he told News Now. In addition to losses, hard costs to block existing cards and reissue new ones "is probably between $2.50 and $3.50 a card, and the soft dollars related to staff hours likely eclipses those," Tschudy said. In the indictment, Albert "Segvec" Gonzalez, 28--a former Secret Service informant already awaiting trial regarding earlier breaches of discount retailer TJX Cos. and others--was the only person named by the federal grand jury in New Jersey. The indictment was unsealed Monday (Wired.com and ComputerWorld Aug. 17). The three indicted, including a person identified only as "P.T.," are charged with conspiracy and conspiracy to engage in wire-fraud. The Justice Department said the three sought out Fortune 500 companies and attempted to identify the potential vulnerabilities in the companies' computer systems. They used a sophisticated "SQL injection attack" seeking to exploit computer networks by finding a back door into a network's firewall so they could upload credit and debit card information to servers acted as hacking platforms. Gonzalez and the co-conspirators then would try to sell the data to others for fraudulent purposes, the indictment said. They used computers they leased or controlled in California, Illinois, New Jersey, Latvia, Ukraine and the Netherlands to store malicious software, launch their attacks and receive the stolen numbers. Gonzalez, if convicted on the Heartland-Hannaford breaches alone, could face up to 20 years for a wire-fraud conspiracy and an additional five for conspiracy. He also faces fines of $250,000 per charge. In May and August 2008, Gonzalez was one of 11 people charged with the breaches of TJX Cos., OfficeMax, Dave & Busters restaurants and other unnamed companies. Their trial begins next month, with jury selection set for Sept. 14. On those charges, Gonzalez faces a maximum five years in prison and possible maximum fine of $250,000 on the computer fraud charge, plus on the wire charge he faces 30 years and $1 million fine, or twice the amount gained from the offense, whichever is greater (Wired.com Aug. 17).