Two Romanians Plead Guilty in Subway Hack Worth $10 Mln

Two Romanian hackers pleaded guilty to roles they played in the point-of-sale attacks that targeted more than 150 Subway franchises and stole data for more than 146,000 accounts. The heist, which spanned the years 2009 to 2011, racked up more than $10 million in losses, federal prosecutors said.

Details revealed in court expose common POS security vulnerabilities that remain a concern for smaller merchants and their banking institutions. The breach compromised Internet-connected POS devices and systems operated by numerous retailers.

Gray Taylor, executive director of the Petroleum Convenience Alliance For Technology Standards, says these types of POS attacks pose increasing concern to all players in the payments industry.

Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit credit card fraud, documents filed on Monday in US District Court in New Hampshire showed. Dolan admitted he helped alleged ring leader Adrian-Tiberiu Opera scan the Internet for point-of-sale systems.

Though many of the POS systems were password protected, Dolan cracked the passwords and, where necessary, gained administrative access. He then remotely installed keyloggers or sniffers to record and store all card data that was keyed in or swiped at the POS.

From there, Dolan said he retrieved payment card data from the compromised systems and transferred that data to various dump sites, where Oprea could access the data to attempt using the stolen card information for unauthorized charges or funds transfers from accounts.

Cezar Iulian Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit credit card fraud. In a separate plea agreement that was also signed, he admitted repeatedly asking Opera to provide him with payment card data stolen through the conspiracy. He obtained data belonging to about 140 cardholders. Butu has agreed to be sentenced to 21 months in prison.

Opera remains in US custody and is awaiting trial in the District of New Hampshire.