Four Romanian men have been indicted on federal charges for allegedly hacking the card-processing systems at Subway restaurants, including one located in East Northport, and compromising the data of more than 80,000 customers in a scheme that netted millions of dollars in unauthorized charges.
According to the indictment, which was obtained by Wired, Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cesar Iulian Butu, 26, and Florin Radu, 23 were charged in the District of New Hampshire with four counts, including conspiracy to commit computer fraud, wire fraud, and access device fraud. Radu is still at large.
The indictment doesn't name which of the two eateries in East Northport was targeted but says that between Dec 11, 2009 through April 17, 2010, the hackers transferred the credit card data from the store's POS (point-of-sale) system to an FTP "dump site." They then used the data to create fake credit cards to make unauthorized purchases, mostly in Europe. More than 150 Subway restaurants were affected, as well as 50 other unnamed retailers.
Phone calls to the Larkfield Road and Laurel Avenue Subways locations were unreturned.
Les Winograd, PR Specialist for the franchise’s world headquarters in Milford, CT was unable to shed any light on the amount of credit card data stolen from the East Northport location or the number of customers affected. He referred all questions to PR Director Kevin Kane, who issued the following statement:
“We were notified some time ago that the U.S. Secret Service and Department of Justice were conducting an investigation into a ring of individuals that were breaking into the POS systems at various merchant locations to steal credit card information. Upon learning about this investigation, we immediate(ly) took steps to improve our point of sale systems in the stores to make our customer transactions even more secure. As a result, we now have one of the most secure credit card processing solutions in the industry. As this is an ongoing investigation, we cannot say anything further except that it is safe to use your credit card at Subway.”
The indictment doesn’t identify which POS system Subway uses for its 30,000 locations but CIO Magazine reported in Jan 2009 that the chain was rolling out the Tourex Quick Service Restaurant POS System in an effort to control costs and streamline fast rollouts globally.
A customer-support technician at the Rhode Island-based branch of Tourex said that Subways only bought the source code for the POS software, and did not enter into a contract with Tourex to provide technical support for the system.
The full federal indictment is attached to this article as a PDF.
