Arrests made over Subway hack

Posted by Emma Woollacott

Four Romanians have been charged over a multi-million dollar scheme to hack more than 50 US-based merchants - including Subway - and steal credit card data.

Adrian-Tiberiu Oprea, Iulian Dolan, Cezar Iulian Butu and Florin Radu, 23 face charges in the District of New Hampshire of conspiracy to commit computer fraud, wire fraud and access device fraud.  Oprea was arrested last week in Romania and is currently in custody there.  Dolan and Butu were arrested upon their entry into the United States in August, while Radu remains at large.

According to the indictment, from approximately 2008 until May 2011, the four men conspired to remotely hack into more than 200 US-based merchants’ point-of-sale computer systems in order to steal customers’ credit, debit and gift card numbers and associated data. 

The victims include more than 150 Subway restaurant franchises, located throughout the United States, as well as over 50 other identified retailers. 

According to the indictment, the hackers compromised the credit card data of more than 80,000 customers, using it to make millions of dollars of unauthorized purchases.

They did it, apparently, by remotely scanning the internet to identify vulnerable point-of-sale systems with certain remote desktop software applications installed. They then either guessed or cracked the passwords to log on to the POS systems.

Using keystroke loggers, they recorded and stored data that was keyed into or swiped through the merchants’ POS systems, including credit card data.

The hackers then installed a back-door Trojan into the POS systems to give them easy access in the future, to install or re-install additional hacker tools.

"The U.S. accounts for 47 percent of debit and credit card fraud despite only accounting for 27 percent of transactions, according to a recent report," says Lisa Vaas of security firm Sophos.

"I don't know if Subway had unpatched vulnerabilities on its POS systems or what. But whatever merchants have to do, yikes, please do it."

If convicted, the four men face up to five years in prison for each count of conspiracy to commit computer related fraud, 30 years in prison for each count of conspiracy to commit wire fraud and five years in prison for each count of conspiracy to commit access device fraud. They also face fines up to twice the amount of the fraud loss, and restitution.