A 28 year old Miami man has been charged with stealing 130 million credit card numbers, mostly from large retail companies, in the largest such heist ever recorded.

Albert Gonzalez, who goes by the hacking moniker ‘soupnazi’, allegedly worked with two unidentified Russian accomplices to steal credit card details from companies including 7-Eleven, supermarket chain Hannafords, Heartland (a US payment processing firm), and a further two unnamed companies. The gang would use information gathered from checkout machines to hack into corporate computer systems before uploading stolen data to servers in the US, Ukraine, Latvia and the Netherlands.

Gonzalez, who has previously hunted hackers for the US Secret Service, was also accused of stealing customer data from US retail chain TK Max in 2006. He is currently in jail in New York for allegedly stealing the credit card details of 40 million people.

Unusually for such cases, endpoint security firm Lumension noted that one of the major victims of the latest haul, Heartland, was declared PCI compliant by a Qualified Security Assessor (QSA) shortly before the breaches occurred. Despite being compliant, the payment systems firm is up for an estimated £32 million in recovery efforts.

Lumension’s senior vice president Andrew Clarke said that while the QSA would be contractually insulated from liability, “the question now is not whether the QSA is negligent in leaving Heartland exposed or if Heartland was negligent in its security practices. The issue is that Heartland is paying the price for the breach. There is simply too much at stake to assume a compliance audit equates with full operational endpoint security,” he added.