Two Romanians plead guilty in Subway hack
Charged as part of a conspiracy that led to $10 million in Subway restaurant customer payment card losses
IDG News Service - Two Romanian men have pleaded guilty to participating in a $10 million scheme to hack into the computers of hundreds of Subway restaurants in the U.S. and steal payment card data, the U.S. Department of Justice said.
Iulian Dolan, 28, of Craiova, Romania, pleaded guilty Monday to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, and Cezar Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud, the DOJ said.
Dolan and Butu were two of four Romanians charged in December in U.S. District Court for the District of New Hampshire with hacking Subway point-of-sale computers.
In his plea agreement, Dolan has agreed to be sentenced to seven years, and Butu has agreed to be sentenced to 21 months in prison.A
The two men, in their guilty pleas, acknowledged participating in a Romanian-based conspiracy, lasting from 2009 to 2011, to hack into hundreds of U.S. point-of-sale (POS) computers, the DOJ said. Co-conspirator Adrian-Tiberiu Oprea is in U.S. custody and awaiting trial in New Hampshire. The group used stolen payment card data to make unauthorized charges or to transfer funds from the cardholders' accounts, the DOJ said.
The scheme involved more than 146,000 compromised payment cards and more than $10 million in losses, the DOJ said.
During the conspiracy, Dolan remotely scanned the Internet to identify vulnerable POS systems in the U.S. with certain remote desktop software applications (RDAs) installed on them, the DOJ said. Using these RDAs, Dolan logged onto the targeted POS systems over the Internet.A The systems were often password-protected and Dolan attempted to crack the passwords to gain administrative access.A
He then installed keystroke logging software onto the POS systems and recorded all of the data that was keyed into or swiped through the POS systems, including customers' payment card data, the DOJ said.
Dolan electronically transferred the payment card data to various electronic storage locations, called dump sites, that Oprea had set up, the DOJ said. Oprea later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts, the DOJ alleged, and he attempted to sell the stolen payment card data to other co-conspirators.A
Dolan stole payment card data belonging to approximately 6,000 cardholders, the DOJ said.A Dolan received $5,000 to $7,500 in cash and personal property from Oprea for his efforts, the DOJ alleged.
In his plea agreement, Butu said he repeatedly asked Oprea to provide him with stolen payment card data and that Oprea provided him with instructions for how to access the website where Oprea had stored a portion of the stolen payment card data, the DOJ alleged.
Butu later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts.A He also attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators. Butu acquired stolen payment card data from Oprea belonging to approximately 140 cardholders, the DOJ alleged.A
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is email@example.com.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts