Four Romanian nationals have been charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment unsealed Thursday.
The hackers compromised the credit-card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases, according to the indictment (.pdf).
From 2008 until May 2011, the hackers allegedly hacked into more than 200 point-of-sale (POS) systems in order to install a keystroke logger and other sniffing software that would steal customer credit, debit and gift-card numbers. They also placed backdoors on the systems to provide ongoing access.
The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs.
POS systems generally consist of a card scanner at a checkout register where customers scan their cards and type in a PIN or provide a signature, as well as a computer system for transferring the data to a card processor for verification and approval.
The indictment doesn’t identify the POS system used by Subway, but the sandwich chain announced in January 2009 that it was deploying the Torex Quick Service POS in all of its 30,000 restaurants.
Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cezar Iulian Butu, 26, and Florin Radu, 23, were charged in the District of New Hampshire with four counts, including conspiracy to commit computer fraud, wire fraud and access device fraud. The indictment refers to two unindicted co-conspirators who used the online nicknames “tonymontanamiami” and “marcos_grande69.”
Oprea was arrested last week in Romania and is in custody there. Dolan and Butu were arrested upon entering the U.S. last August. Radu remains at large.
The indictment doesn’t name the other victims outside of Subway or the remote desktop software application the hackers targeted, but the case shares similarities to what occurred to seven U.S. restaurants who sued the maker of a POS in 2009 for failing to secure the product from a Romanian hacker who breached their systems.
The restaurants, located in Louisiana and Mississippi, filed a class-action suit against Georgia-based Radiant Systems, maker of the Aloha POS system. The plaintiffs say the point-of-sale system Radiant sold them was not compliant with payment-card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.
The suit alleged that the system stored all the data embedded on the bank card magnetic stripe after the transaction was completed — a violation of industry security standards.
Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant’s Aloha POS system.
According to plaintiffs, Computer World’s technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote login and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was “administrator” and the password was “computer.”
A hacker, believed to be based in Romania, accessed the systems of at least 19 businesses through the PCAnywhere software, and possibly others according to the plaintiffs. Once inside, the hacker installed malware to grab card data as it was swiped and send it to an e-mail address in Romania.
It’s not known if the Subway breaches and the breaches involving the Radiant systems at other restaurants were done by the same intruders.