Aug. 18 (Bloomberg) -- A Miami man and two unidentified computer hackers were charged with stealing 130 million credit and debit card numbers in what the Justice Department said was the largest such prosecution in U.S. history.

Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.

The hackers stole 130 million card numbers from Heartland, a bank-card payment processor, starting in December 2007, by using malicious computer software, according to the 14-page indictment. An undetermined number of card numbers were stolen from 7-Eleven and 4.2 million from Hannaford, a regional supermarket chain, according to the indictment.

“This investigation marks the continued success of law enforcement in tracking down cutting edge hacking schemes committed by hackers working together across the globe,” acting U.S. Attorney Ralph Marra said in a statement.

Gonzalez, who is in federal custody in Brooklyn, New York, was indicted last year by federal grand juries in Massachusetts and New York for data breaches at companies. He was a federal informant after his arrest in New Jersey by the U.S. Secret Service in 2003 in a case involving hackers known as the Shadowcrew, the U.S. Attorney’s Office in Boston said in a statement after indicting him on Aug. 5, 2008.

Confidential Informant

“During the course of this investigation, the Secret Service discovered that Gonzalez, who was working as a confidential informant for the agency, was criminally involved in the case,” the statement said. It said he faces life in prison on last year’s charges of theft of credit and debit card numbers because of the “size and scope of his criminal activity.”

Gonzalez and the two hackers were charged in Newark yesterday with two counts of conspiracy in a scheme to sell data they stole using computers in New Jersey, California, Illinois, Latvia, Ukraine and the Netherlands, according to the indictment. He faces up to 35 years in prison in the new case.

“The scope is massive,” Assistant U.S. Attorney Erez Liebermann said yesterday in an interview.

Gonzalez’s involvement shows “he had the ability to put together teams of hackers who were able to carry out these data breaches and steal massive amounts of data in the forms of credit and debit card numbers,” Liebermann said.

‘Worked Very, Very Hard’

“This guy worked very, very hard at something he was very good at,” the prosecutor said. “He found the right people to successfully accomplish his objective, which was to identify victim corporations and steal credit and debit card numbers.”

An attorney for Gonzalez, Rene Palomino Jr. in Miami, didn’t immediately return calls seeking comment.

Dallas-based 7-Eleven said today in a statement it first learned of the security breach in late 2007. The breach was confined to customers’ use of third-party automated teller machines in its stores during a 12-day period that started on Oct. 28, 2007, 7-Eleven said.

“Steps were immediately taken to contain the security breach and prevent any recurrence,” 7-Eleven said. The card- issuing financial institutions also received notice of the incursion and each made its own decision about what steps to take next, the convenience-store operator said.

Shadowcrew Arrests

In the Shadowcrew case, the U.S. Secret Service arrested 21 people in the U.S. in October 2004 for their role in one of the largest online centers for trafficking in stolen credit and bank card numbers. Gonzalez wasn’t indicted in that case.

Federal prosecutors in Boston charged Gonzalez and others with stealing credit and debit card numbers from companies including TJX Cos., BJ’s Wholesale Club Inc., OfficeMax Inc., Barnes & Noble Inc. and Sports Authority Inc.

Prosecutors in the Eastern District of New York charged Gonzalez and others with stealing credit and debit card numbers from the Dave & Buster’s Inc. restaurant chain.

In the new case, the hackers scouted potential victims by reviewing a list of Fortune 500 companies and then visiting retail stores to identify the payment processing systems and their vulnerabilities, prosecutors said. They used software known as malware and so-called injection strings to attack the computers and steal data, prosecutors said.

‘Sniffer’ Programs

They installed “sniffer” programs to capture data “on a real-time basis” as it moved through the computer networks and used instant messaging services to advise each other on how to navigate the systems, according to the indictment. They also programmed malware to evade detection by anti-virus software and erase files that might detect its presence, prosecutors said.

Heartland, based in Princeton, New Jersey, is used by 175,000 businesses at 250,000 locations. The company said Jan. 20 it found “malicious software” in its processing system that hackers used to steal data in 2008.

“Heartland looks forward to lending whatever support we can to this investigation as well as the broader fight against global cyber criminals,” Chief Executive Officer Robert Carr said yesterday in a statement.

In a Feb. 24 conference call, Carr said the company was the subject of an informal inquiry by the Securities and Exchange Commission, as well as investigations by the Justice Department, the Federal Trade Commission and the Office of the Comptroller of the Currency.

A shareholder sued Heartland directors and officers on July 14 in federal court in Trenton, New Jersey, for alleged breach of fiduciary duty before the cyber attack.

Jason Maloni, a company spokesman, said in a July 16 interview Heartland was cooperating with government investigators. Heartland had “undergone a number of steps to enhance our security and raise the understanding of the growing threat of cyber-criminals among the entire financial sector, including our own competitors,” he said.

Heartland shares rose 28 cents to $10.91 in New York Stock Exchange composite trading.

The case is U.S. v. Gonzalez, U.S. District Court, District of New Jersey (Newark).

To contact the reporter on this story: David Voreacos in Newark, New Jersey, at dvoreacos@bloomberg.net.

Last Updated: August 18, 2009 16:11 EDT