80k Subway customers fleeced in credit card hack

Powered by SC Magazine

Payment terminals had guessable passwords.

Four Romanian nationals have been charged with remotely hijacking the credit card processing systems of more than 150 Subway restaurants along with dozens of other unnamed retailers in the US.

The defendants, all in their 20s, compromised the credit card data of 80,000 customers and made millions of dollars in unauthorised purchases, the Department of Justice said.

The defendants hacked into more than 200 point-of-sale (POS) systems between 2008 and May this year.

They scanned the internet to identify vulnerable POS systems, then logged in to the targeted devices either by guessing the passwords or using password-cracking programs, federal prosecutors said.

They then installed keyloggers on the systems that would record any data keyed into or swiped through the machines.

After being logged, the data was electronically transferred back to the attackers' servers.

The defendants installed backdoor trojans onto the POS systems, which allowed them to access the devices later to install other malicious programs used to conduct the scam.

If convicted, each could face up to 40 years in prison. In addition, they face fines up to twice the amount of the fraud loss.

Subway spokesman Kevin Kane said the breach affected a “small percentage” of its restaurants and that franchisees have upgraded their POS registers.

“We now have ... the most secure credit card processing [hardware] in the industry,” Kane said. “There have been no issues since the upgrade, and consumers should be confident that it is safe to use their credit cards at Subway restaurants.”

Each defendant was charged with conspiracy to commit computer fraud, wire fraud and access device fraud.

One man was arrested last week in Romania and is currently in custody there. Two others were arrested in mid-August when they entered the US.

A forth man remains at large.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition

80k Subway customers fleeced in credit card hack
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.