Two Romanian men pled guilty this week to charges they hacked into the point of sale systems of more than 200 restaurants, compromising the payment cards of 146,000 customers and amassing more than $10 million over the last few years.
Included in those 200 stores were more than 150 Subway sandwich shops and dozens of other small businesses that were targeted from 2009 to 2011 judging by research done by the U.S. Secret Service alongside the New Hampshire State Police and Romanian authorities.
According to a press release posted by the Department of Justice yesterday, Iulian Dolan, 28, of Craiova, Romania, plead guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud and Cezar Butu, 27, of Ploiesti, Romania pled guilty to one count of conspiracy to commit access device fraud.
Working alongside co-conspirator Adrian-Tiberiu Oprea, also of Romania, the hackers cracked the passwords of point-of-sale (POS) terminals and installed keystroke loggers to record customers’ card data. That data was subsequently dumped on the Internet by Oprea using a series of online storage sites and later retrieved by Dolan. Dolan acknowledged that Oprea “attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts” and tried to sell some of the information.
In Butu’s plea agreement he alleges he asked Oprea for the stolen, data but instead was supplied with directions on how to access the online storage sites. Butu later used this information to “make unauthorized charges on, or transfers of funds from” roughly 140 cardholders according to the DOJ report.
The three hackers were charged, along with fellow Romanian Florin Radu, back in December 2011.
According to their pleas, Dolan is being sentenced to seven years in prison and Butu to 21 months. Oprea meanwhile is in U.S. custody and awaiting trial in New Hampshire after being arrested in Romania last year, and extradited to the US in May. Radu appears to still be at large.
*Subway homepage image via pat00139‘s Flickr photostream, Creative Commons.