Four charged with hacking Subway, other retailers

Share this article:
Four Romanian nationals have been charged with remotely hijacking the credit card processing systems of more than 150 Subway restaurants in the United States, along with dozens of other unnamed retailers, the federal prosecutors announced Thursday.

The defendants, all in their 20s, compromised the credit card data of 80,000 customers and made millions of dollars in unauthorized purchases, according to the U.S. Department of Justice. Starting in 2008 and through May of this year, the defendants hacked into more than 200 U.S.-based merchants' point-of-sale (POS) systems, which are used to process transactions.

The defendants – Adrian-Tiberiu Oprea, 27, of Constanta; Iulian Dolan, 27, of Craiova; Cezar Iulian Butu, 26, of Ploiesti; and Florin Radu, 23, of Rimnicu Vilcea –  each were charged in New Hampshire with conspiracy to commit computer fraud, wire fraud and access device fraud.

Oprea was arrested last week in Romania and is currently in custody there. Butu and Dolan were both arrested in mid-August upon entering the United States. Radu remains at large.

The defendants scanned the internet to identify vulnerable POS systems, then logged in to the targeted devices either by guessing the passwords or using password-cracking programs, federal prosecutors said. They then installed keyloggers on the systems that would record any data keyed into or swiped through the machines.

After being logged, the data was electronically transferred back to the attackers' servers. The defendants installed backdoor trojans onto the POS systems, which  allowed them to access the devices later to install other malicious programs used to conduct the scam.

If convicted, each could face up to 40 years in prison. In addition, they face fines up to twice the amount of the fraud loss.

Kevin Kane, a Subway spokesman, told SCMagazineUS.com in an email Wednesday that the breach affected a “small percentage” of its restaurants. Following discovery of the intrusion, franchisees upgraded their point-of-sale registers.

“We now have ... the most secure credit card processing [hardware] in the industry,” Kane said. “There have been no issues since the upgrade, and consumers should be confident that it is safe to use their credit cards at Subway restaurants.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Apple implements two-factor authentication

The company followed through on its promise to up iCloud security by implementing two-factor authentication earlier this week.

C&K apologizes for unauthorized access that led to Goodwill breach

A web hosting service apologized for intermittent unauthorized access of its hosted environment over 18 months that led to the Goodwill breach.

Yelp and TinyCo settle with FTC over COPPA Rule violations

Yelp and TinyCo settle with FTC over COPPA ...

Yelp will pay $450,000, and TinyCo will pay $300,000 to settle charges that their mobile apps collected information from children under the age of 13.