A Romanian national is being sentenced in the United States to 21 months in prison for his role in a successful plot to hack customer credit-card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers.
In all, four Romanian hackers compromised the credit-card data of more than 80,000 U.S. customers and used the data to make millions of dollars in unauthorized purchases, according to a 2011 federal indictment. (.pdf) Cezar Butu was handed a nearly two-year-term Monday in a New Hampshire federal court after pleading guilty in September to his role in the scam.
From 2008 until May 2011, the four are accused of hacking into more than 200 point-of-sale (POS) systems in order to install a keystroke logger and other sniffing software that would steal customer credit, debit and gift-card numbers. The hackers also placed backdoors on the systems to provide ongoing access.
The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software.
Another implicated Romanian, Iulian Dolan, is expected to receive a 7-year term when sentenced in April after pleading guilty to the conspiracy. A third defendant, Adrian-Tiberiu Oprea, is scheduled for trial next month. A fourth implicated Romanian, Florin Radu, remains at large.
POS systems generally consist of a card scanner at a checkout register where customers scan their cards and type in a PIN or provide a signature, as well as a computer system for transferring the data to a card processor for verification and approval.
The indictment did not identify the POS system used by Subway, but the sandwich chain announced in January 2009 that it was deploying the Torex Quick Service POS in all of its 30,000 restaurants.
The indictment doesn't name the other victims outside of Subway or the remote desktop software application the hackers targeted, but the case shares similarities to what occurred to seven U.S. restaurants who sued the maker of a POS in 2009 for allegedly failing to secure the product from a Romanian hacker who breached their systems.