Subway restaurant hacker sentenced to 21 months

Share this article:

A Romanian hacker, who pleaded guilty to compromising the credit card processing systems of Subway restaurants in 2011, has been sentenced to 21 months in prison.

On Monday, a U.S. District Court judge in New Hampshire sentenced 27-year-old Cezar Butu after he pleaded guilty on Sept. 17, 2011 to one count of conspiracy to commit access device fraud.

Butu was one of four Romanian hackers charged with remotely hijacking credit card processing systems of more than 150 Subway restaurants, as well as other retailers in the United States, which resulted in more than $10 million in losses, according to federal prosecutors.

A news release from the U.S. Department of Justice detailed the admission from Butu, saying that from 2009 to 2011, he participated in a Romanian-based conspiracy, which involved hacking into hundreds of U.S.-based point-of-sale (POS) systems to steal consumers' financial information. 

Prosecutors said Butu also attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators. As well, he admitted to gathering payment card data belonging to approximately 140 cardholders over the course of his spree.

Butu and co-conspirators scanned the internet to identify vulnerable POS systems, then logged in to the targeted devices either by guessing the passwords or using password-cracking programs, according to prosecutors. They then installed keyloggers on the systems to record any data keyed into or swiped through the machines. The recorded data was electronically transferred back to the attackers' servers.

Other co-conspirators in the case include Iulian Dolan, who pleaded guilty to charges and consented to a seven-year prison sentence as part of a plea agreement. His is scheduled to be sentenced April 4. 

Adrian-Tiberiu Oprea, who has not pleaded guilty, is scheduled to be tried Feb. 20 in U.S. District Court in New Hampshire. The fourth man suspected of involvement, Florin Radu, remains at large.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.