The defendants, all in their 20s, compromised the credit card data of 80,000 customers and made millions of dollars in unauthorized purchases, according to the U.S. Department of Justice. Starting in 2008 and through May of this year, the defendants hacked into more than 200 U.S.-based merchants' point-of-sale (POS) systems, which are used to process transactions.
The defendants – Adrian-Tiberiu Oprea, 27, of Constanta; Iulian Dolan, 27, of Craiova; Cezar Iulian Butu, 26, of Ploiesti; and Florin Radu, 23, of Rimnicu Vilcea – each were charged in New Hampshire with conspiracy to commit computer fraud, wire fraud and access device fraud.
Oprea was arrested last week in Romania and is currently in custody there. Butu and Dolan were both arrested in mid-August upon entering the United States. Radu remains at large.
The defendants scanned the internet to identify vulnerable POS systems, then logged in to the targeted devices either by guessing the passwords or using password-cracking programs, federal prosecutors said. They then installed keyloggers on the systems that would record any data keyed into or swiped through the machines.
After being logged, the data was electronically transferred back to the attackers' servers. The defendants installed backdoor trojans onto the POS systems, which allowed them to access the devices later to install other malicious programs used to conduct the scam.
If convicted, each could face up to 40 years in prison. In addition, they face fines up to twice the amount of the fraud loss.
Kevin Kane, a Subway spokesman, told SCMagazineUS.com in an email Wednesday that the breach affected a “small percentage” of its restaurants. Following discovery of the intrusion, franchisees upgraded their point-of-sale registers.
“We now have ... the most secure credit card processing [hardware] in the industry,” Kane said. “There have been no issues since the upgrade, and consumers should be confident that it is safe to use their credit cards at Subway restaurants.”