DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Four Romanian nationals indicted for hacking Subway and 50 other merchants’ POS systems

Posted on December 8, 2011 by Dissent

The U.S. Dept. of Justice has issued a press release about an indictment that may relate to some breaches involving Subway Restaurant previously reported on this blog. The case was filed May 4, but the indictment has just been unsealed.

Four Romanian nationals have been charged in federal court for their alleged participation in an international multimillion dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants’ point of sale (POS) computer systems.

Adrian-Tiberiu Oprea, 27, of Constanta, Romania; Iulian Dolan, 27, of Craiova, Romania; Cezar Iulian Butu, 26, of Ploiesti, Romania; and Florin Radu, 23, of Rimnicu Vilcea, Romania, were charged in a four-count indictment filed in the District of New Hampshire with conspiracy to commit computer fraud, wire fraud and access device fraud. Oprea was arrested last week in Romania and is currently in custody there. Dolan and Butu were arrested upon their entry into the United States on Aug. 13 and Aug. 14, 2011, respectively, and remain in United States custody. Radu remains at large.

According to the indictment, from approximately 2008 until May 2011, Oprea, Dolan, Butu and Radu conspired to remotely hack into more than 200 U.S.-based merchants’ POS systems in order to steal customers’ credit, debit and gift card numbers and associated data. The indictment alleges that as part of the conspiracy, the members remotely scanned the internet to identify vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them, and using these RDAs, the conspirators logged onto the targeted POS systems over the internet, either by guessing the passwords or using password-cracking software programs. The failure of a number of installers and users to change the default login credentials on such RDAs has been a factor in other cases reported on this blog in the past and Visa has repeatedly advised merchants to disable RDAs unless absolutely necessary. In this case, the members also allegedly installed keyloggers and a backdoor to allow them further access to the systems over time. Prosecutors allege that the conspirators repeatedly “downloaded a hacker tool that is designed to evade detection, “xp.exe,” from the “kitsite.info” “dump site” onto victims’ POS terminals.” Data were stored on domestic and non-U.S. servers including ftp.shopings.info, ftp.justfuckit.info, ftp.cindarella.info, ftp.kitsite.info, ftp.tushtime.info, ftp.canadasite.info, and sendspace.com. The  dump sites  also included compromised internet-connected computers belonging to unsuspecting small business owners or individuals, including a computer server owned by a small business in Pennsylvania. Many of the dump sites were registered with GoDaddy.com.

Merchant victims include more than 150 Subway restaurant franchises (which is less than 1 percent of all Subway restaurants), located throughout the United States, including in the District of New Hampshire, as well as more than 50 other identified retailers. According to the indictment, members of the conspiracy have compromised the credit card data of more than 80,000 customers, and millions of dollars of unauthorized purchases have been made using the compromised data. The other merchants were not named in the indictment.

If convicted, the defendants face a maximum of five years in prison for each count of conspiracy to commit computer related fraud, 30 years in prison for each count of conspiracy to commit wire fraud and five years in prison for each count of conspiracy to commit access device fraud. They also face fines up to twice the amount of the fraud loss and restitution.

Although it didn’t garner much media coverage, this blog had reported incidents involving  card fraud at Subway locations in California and New York in 2009 and May 2010. Without knowing the identities of the other merchants, it’s unclear whether we knew about any of their breaches at the time or whether they ever notified affected customers.

Image credit: Saniphoto | Dreamstime

Category: Breach IncidentsBusiness SectorHackID TheftOf NoteU.S.

Post navigation

← David Cecil, pleads guilty to 2 of 48 charges, faces 10years jail
Hershey Medical Center employee fired after breach of Joe Paterno's records →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.