Federal prosecutors have charged one Ukrainian and four Russian hackers with stealing credit card and other financial information from companies including J.C. Penney, Carrefour, 7-Eleven, Jet Blue Airways and Dow Jones.
The indictment that was unsealed in New Jersey on July 25 details a computer crime spree that began in 2005 and netted hundreds of millions of dollars, a sum sufficient to make it “possibly the biggest hacking scheme ever prosecuted by the U.S. government” according to government sources quoted in a Wall Street Journal article about the case.
The indictment details how the hackers scouted retailers in 2007 and 2008 to determine the types of payment processing systems in use. The hackers penetrated corporate networks and installed software that allowed them back door access the systems later.
According to the same WSJ article, the hackers used leased computers in New Jersey, Latvia, the Bahamas, Panama and other places to carry out their attacks and even set up Google alerts to let them know when the data breeches had become news so that they could stay ahead of law enforcement agencies.
The five persons named in the indictment as co-conspirators face a variety of charges that include operating a computer hacking conspiracy and conspiracy to commit wire fraud. The five are Alexandr Kalinin, Vladimir Drinkman, Dmitriy Smilianets, Roman Kotov and Mikhail Tytikov. Smilianets is in U.S. custody and Drinkman is in custody in the Netherlands pending extradition, but the other three remain at large and may be in Russia. The five allegedly stole more than 160 million credit and debit card numbers and caused a payment processor to lose of more than 200M.
The WSJ reports that Mr. Kalinin has been charged by the U.S. District Attorney in Manhattan with being a part of two separate scams, one to hack NASDAQ servers and another to steal bank account information for 800,000 accounts.
Retailers are facing increasingly frequent and costly attacks by hackers from Eastern Europe and across the globe. The costs of a data breach in retail IT can be substantial and include loss of reputation, revenue, trust and fines from card companies and regulators.