December 09, 2011

Four charged with hacking Subway, other retailers

Four Romanian nationals have been charged with remotely hijacking the credit card processing systems of more than 150 Subway restaurants in the United States, along with dozens of other unnamed retailers, the federal prosecutors announced Thursday.

The defendants, all in their 20s, compromised the credit card data of 80,000 customers and made millions of dollars in unauthorized purchases, according to the U.S. Department of Justice. Starting in 2008 and through May of this year, the defendants hacked into more than 200 U.S.-based merchants' point-of-sale (POS) systems, which are used to process transactions.

The defendants – Adrian-Tiberiu Oprea, 27, of Constanta; Iulian Dolan, 27, of Craiova; Cezar Iulian Butu, 26, of Ploiesti; and Florin Radu, 23, of Rimnicu Vilcea –  each were charged in New Hampshire with conspiracy to commit computer fraud, wire fraud and access device fraud.

Oprea was arrested last week in Romania and is currently in custody there. Butu and Dolan were both arrested in mid-August upon entering the United States. Radu remains at large.

The defendants scanned the internet to identify vulnerable POS systems, then logged in to the targeted devices either by guessing the passwords or using password-cracking programs, federal prosecutors said. They then installed keyloggers on the systems that would record any data keyed into or swiped through the machines.

After being logged, the data was electronically transferred back to the attackers' servers. The defendants installed backdoor trojans onto the POS systems, which  allowed them to access the devices later to install other malicious programs used to conduct the scam.

If convicted, each could face up to 40 years in prison. In addition, they face fines up to twice the amount of the fraud loss.

Kevin Kane, a Subway spokesman, told SCMagazineUS.com in an email Wednesday that the breach affected a “small percentage” of its restaurants. Following discovery of the intrusion, franchisees upgraded their point-of-sale registers.

“We now have ... the most secure credit card processing [hardware] in the industry,” Kane said. “There have been no issues since the upgrade, and consumers should be confident that it is safe to use their credit cards at Subway restaurants.”

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.