Four Romanian nationals have been charged with remotely hijacking the credit card processing systems of more than 150 Subway restaurants along with dozens of other unnamed retailers in the US.
The defendants, all in their 20s, compromised the credit card data of 80,000 customers and made millions of dollars in unauthorised purchases, the Department of Justice said.
The defendants hacked into more than 200 point-of-sale (POS) systems between 2008 and May this year.
They scanned the internet to identify vulnerable POS systems, then logged in to the targeted devices either by guessing the passwords or using password-cracking programs, federal prosecutors said.
They then installed keyloggers on the systems that would record any data keyed into or swiped through the machines.
After being logged, the data was electronically transferred back to the attackers' servers.
The defendants installed backdoor trojans onto the POS systems, which allowed them to access the devices later to install other malicious programs used to conduct the scam.
If convicted, each could face up to 40 years in prison. In addition, they face fines up to twice the amount of the fraud loss.
Subway spokesman Kevin Kane said the breach affected a “small percentage” of its restaurants and that franchisees have upgraded their POS registers.
“We now have ... the most secure credit card processing [hardware] in the industry,” Kane said. “There have been no issues since the upgrade, and consumers should be confident that it is safe to use their credit cards at Subway restaurants.”
Each defendant was charged with conspiracy to commit computer fraud, wire fraud and access device fraud.
One man was arrested last week in Romania and is currently in custody there. Two others were arrested in mid-August when they entered the US.
A forth man remains at large.