Two men charged with hacking Subways to load up gift cards

Share this article:

Two California men have been charged with hacking and wire fraud after compromising a number of point-of-sale (POS) systems at Subway restaurants.

Shahin Abdollahi, 46, of Lake Elsinore and Jeffrey Wilkinson, 35, of Rialto are accused of remotely accessing at least 13 POS devices to add tens of thousands of dollars in value to Subway gift cards. The pair was charged in an indictment unsealed Friday in Boston. One of the victim stores is located in nearby Franklin, Mass.

According to the indictment, Abdollahi, a former Subway franchisee for four years, opened a POS business in 2008 in Southern California. The company sold POS equipment to merchants, specifically Subway, across the country.

Most, if not all, of the POS computers sold by Abdollahi also included a remote desktop application, which was used to remotely access 13 of the systems during the wee hours in late 2011 and early 2012, prosecutors said. The defendants used that access to fraudulently load "dollar values" – totaling $40,000 – onto gift cards in their possession.

The men are accused of using the gift cards to make purchases at Subway locations in California, and also with selling the gift cards on sites like eBay and Craigslist. The indictment alleges that Wilkinson placed the ads on the sites and, on one occasion, sold the fraudulent gift cards to a person identified as "B.J." in court documents.

Subway has been a visible target of late. In December 2011, four Romanian nationals were charged with remotely hijacking the credit card processing systems of more than 150 Subway restaurants in the United States, along with dozens of other unnamed retailers, the federal prosecutors announced. The defendants, all in their 20s, compromised the credit card data of 80,000 customers and made millions of dollars in unauthorized purchases.

At least one since has been sentenced.

Attorneys for the latest defendants could not be reached.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.