December 09, 2011

Four charged with hacking Subway, other retailers

Four Romanian nationals have been charged with remotely hijacking the credit card processing systems of more than 150 Subway restaurants in the United States, along with dozens of other unnamed retailers, the federal prosecutors announced Thursday.

The defendants, all in their 20s, compromised the credit card data of 80,000 customers and made millions of dollars in unauthorized purchases, according to the U.S. Department of Justice. Starting in 2008 and through May of this year, the defendants hacked into more than 200 U.S.-based merchants' point-of-sale (POS) systems, which are used to process transactions.

The defendants – Adrian-Tiberiu Oprea, 27, of Constanta; Iulian Dolan, 27, of Craiova; Cezar Iulian Butu, 26, of Ploiesti; and Florin Radu, 23, of Rimnicu Vilcea –  each were charged in New Hampshire with conspiracy to commit computer fraud, wire fraud and access device fraud.

Oprea was arrested last week in Romania and is currently in custody there. Butu and Dolan were both arrested in mid-August upon entering the United States. Radu remains at large.

The defendants scanned the internet to identify vulnerable POS systems, then logged in to the targeted devices either by guessing the passwords or using password-cracking programs, federal prosecutors said. They then installed keyloggers on the systems that would record any data keyed into or swiped through the machines.

After being logged, the data was electronically transferred back to the attackers' servers. The defendants installed backdoor trojans onto the POS systems, which  allowed them to access the devices later to install other malicious programs used to conduct the scam.

If convicted, each could face up to 40 years in prison. In addition, they face fines up to twice the amount of the fraud loss.

Kevin Kane, a Subway spokesman, told SCMagazineUS.com in an email Wednesday that the breach affected a “small percentage” of its restaurants. Following discovery of the intrusion, franchisees upgraded their point-of-sale registers.

“We now have ... the most secure credit card processing [hardware] in the industry,” Kane said. “There have been no issues since the upgrade, and consumers should be confident that it is safe to use their credit cards at Subway restaurants.”

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.