Four Romanian nationals were charged with hacking into the credit card processing systems of some 150 Subway sandwich shops and those of 50 other unnamed retailers, according to a copy of the indictment [PDF].
The four men and two co-conspirators, identified by their online pseudonyms, “marcos_grande69” and “tonymontanamiami,” stand accused of conspiring to remotely access more than 200 point-of-sale (POS) systems belonging to American retailers.
The men allegedly compromised the credit card data of at least 80,000 customers and spent millions on unauthorized purchases using that data. The charges against the men include one count of conspiracy to commit computer-related fraud, one count of conspiracy to commit wire fraud, and two counts of conspiracy to commit fraud in connection with access device.
The criminal complaint was filed in May, but unsealed on Wednesday. It describes a scam that ran for more than three years, from April 2008 until March of 2011. The named individuals, Adrian-Tiberiu Oprea, Cezar Iulian Butu, Iulian Dolan and Florin Radu are accused of knowingly accessing point of sale terminals via an unnamed remote desktop application, without authorization, and installing keyloggers on them. In addition, the men are alleged to have installed Trojan horse programs on the POS systems so they could easily access the systems at a later time and install or reinstall malware.
The conspirators allegedly used “dump sites” inside and outside the US as storage servers for the data they gleaned from the various POS systems. They are further accused of creating fake credit cards with stolen information, which they used for themselves and sold to others.
The indictment does not name the POS system in use, but an article in Computer World from 2009 (cited by Wired) claims the sandwich chain deployed the Torex QuickService Restaurant system to all of its 30,000 locations at that time.
Oprea, Dolan, Butu, and Radu were charged in the district of New Hampshire. Oprea was arrested in Romania, Dolan and Butu were taken into custody when entering the US in August, and Radu remains at large, according to Wired.
This isn’t the first time a POS system has come up in connection with a wire fraud case. In March of this year, a Massachusetts based restaurant chain, the Briar Group, was made to pay $110,000 after failing to protect the personal information of their patrons. Briar Group LLC was the first business charged under the Massachusetts data breach law, which is the toughest in the nation.