NEWARK, NJ/BOSTON (Reuters) – US prosecutors have charged five foreign nationals with payment card theft resulting in more than $300 million in losses for companies in the US and in Europe in what they described as the country’s largest hacking fraud case in history.
Victims include Nasdaq OMX Group Inc, Visa Inc, Dow Jones Inc, JC Penney Co, JetBlue Airways Corp and Carrefour SA, prosecutors said as they announced the indictments yesterday.
Mark Rasch, a former federal cybercrimes prosecutor, told Reuters that the arrests show that law enforcement is making progress in identifying those responsible for major cybercrimes.
“They involve dozens or even hundreds of people huddled over computer terminals all over the world in a common purpose of stealing of disseminating credit card numbers,” said Rasch, who was not involved in bringing the case.
The indictment named four men residing in Russia and one man in Ukraine.
It also cited Albert Gonzalez as a co-conspirator. He is serving 20 years in federal prison after pleading guilty to helping mastermind one of the biggest hacking fraud schemes in US history, helping steal millions of credit and debit cards.
It was not immediately clear how those cases overlapped with the ones announced yesterday.
In additional to payment car theft, charges in the indictment included allegations that the defendants stole log-in credentials from Nasdaq after playing malicious software on the company’s computers around May 2007.
A spokesman for Nasdaq could not immediately be reached for comment.
The indictment said that from about August 2005 through at least July 2012 the five men and four co-conspirators ran a high-profile hacking ring that was responsible for several of the largest known data breaches to date.
Prosecutors said they conservatively estimate that the group stole at least 160 million credit card numbers, resulting in losses in excess of $300 million.
The hacking ring sold the payment card numbers to resellers, who then sold them on online forums or to “cashers” who encode the numbers onto blank plastic cards that are used to purchase goods or withdraw money from ATMs in what is known as a debit card dump.
Among the breaches cited in the case, prosecutors charged that the group was responsible for the theft of more than 130 million credit card numbers from US payment processor Heartland Payment Systems beginning in December 2007, resulting in approximately $200 million of losses.
It charged that they took approximately 30 million payment card numbers from British payment processor Commidea Ltd in 2008 and 800,000 card numbers from Visa Inc’s licensee Visa Jordan in 2011.
An attack on Global Payment Systems that begin in about January 2011 resulted in the theft of more than 950,000 cards and losses of about $93 million, according to the indictment.
It charged the ring with stealing approximately 2 million credit card numbers from French retailer Carrefour SA, beginning as early as October 2007 and 4.2 million card numbers from US grocer Hannaford Brothers Co, a unit of Delhaize Group. It said the theft of card numbers from Dexia Bank Belgium resulted in $1.7 million in losses.
Other victims included US retailers JCPenney, JetBlue Airways, Dow Jones Inc, Wet Seal Inc and 7-Eleven Inc, according to prosecutors.