IRVING, TX — At least a dozen stores in the Dave & Buster’s chain, headquartered here, were victims of a five-month computer hacking scheme between May and August of 2007 that stole thousands of credit card numbers. The ring inflicted – at a minimum – hundreds of thousands of dollars in losses to legitimate financial institutions, federal prosecutors said Monday. The U.S. Department of Justice has charged two foreigners and one U.S. citizen with the crime. All three suspects are in custody, the first two in Europe, and the third in Miami.
The full scope of the operation remains unknown, but the scale of damage appears immense. For example, at a single Long Island D&B’s, the crooks obtained some 5,000 credit card numbers. They sold those numbers to others who eventually caused losses of at least $600,000 to the financial institutions that issued the credit and debit cards. Also hacked were D&B’s outlets in Chicago, Westminster, CO., Islandia and West Nyack, NY, Utica, MI, Columbus, OH, and three Texas cities: Frisco, Dallas and Austin. The hackers operated from sites in the U.S. and overseas.
Federal indictments were unsealed Monday in the Eastern District of New York (Central Islip). In all, the feds filed 27 counts against the defendants including wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.
U.S. assistant attorney general Alice S. Fisher of the DOJ Criminal Division and U.S. attorney for the Eastern District of NY Benton J. Campbell said the suspects – including one Ukrainian and one Estonian – “employed college-level knowledge of computer programming skills” to perpetrate their crimes.
According to the indictment, Maksym Yastremskiy, a.k.a. “Maksik,” Aleksandr Suvorov, a.k.a. “JonnyHell,” and Albert Gonzales, a.k.a. “Segvec,” hacked into cash register terminals at 11 Dave & Buster’s Inc. restaurants at various locations around the U.S. in order to acquire “track 2” credit and debit card information.
The defendants then sold the stolen data to others who used it to make fraudulent purchases or re-sold it to make such purchases.
Track 2 data include the customer’s account number and expiration date, but not the cardholder’s name or other personally identifiable information.
The indictment alleges that around May 2007, Yastremskiy and Suvorov gained unauthorized access to the cash registers and installed at each restaurant a “packet sniffer,” a malicious piece of computer code designed to capture communications between two or more computer systems on single network.
The packet sniffer was configured to capture track 2 data as it moved from the restaurant’s point-of-sale server through the computer system at the company’s corporate headquarters to the data processor’s computer system.
One of the suspects was apprehended in Turkey last July by Turkish National Police. At the time of his arrest, he reportedly had millions of stolen credit card numbers on his laptop computer, but none was from D&B’s. He remains in custody in Turkey, said the DOJ.
A formal request for extradition of Yastremskiy to the United States has been made to the Turkish government.
At the request of the United States, Suvorov was arrested in March 2008 by German officials while he was visiting the country. He remains in jail in Germany, pending action on a formal U.S. extradition request.
The third suspect, Albert Gonzalez of Miami, was charged with wire fraud conspiracy related to the scheme. U.S. Secret Service officials arrested Gonzalez in Miami this month.
D&B’s said it never stored the data that hackers stole; the information was intercepted en route from D&B’s computers during the card verification and transmission process.
Dave & Buster’s CEO Steve King said the company learned it might be a target of data hacking in late August 2007. D&B’s assisted the U.S. Secret Service and DOJ in the investigation.
The location based entertainment chain also retained private security firms that identified the vulnerabilities in D&B’s data transmission systems. D&B’s said it has put new security measures in place that are designed to prevent future data theft by hackers.
D&B’s is “confident that [our systems] are safe today,” said King.