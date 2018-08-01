Three Ukrainian nationals have been arrested in the theft of more than 15 million credit and debit card numbers from point-of-sale terminals at Chipotle Mexican Grill, Arby’s and other retail and hospitality chains, federal authorities said Wednesday.
The three are high-ranking members of an international hacking group known as FIN7 that gathered the numbers collected from more than 6,500 terminals at more than 3,600 separate business locations since 2015, the Justice Department alleges.
“The naming of these FIN7 leaders marks a major step toward dismantling this sophisticated criminal enterprise,” said Jay S. Tabb Jr., special agent in charge of the FBI’s Seattle office.
Investigators have been conducting a long-running probe into the group. Companies that have previously publicly disclosed hacks attributable to FIN7 include such familiar chains as Chili’s, Red Robin and Jason’s Deli. Additional intrusions occurred abroad, including in Britain, Australia and France, the Justice Department said.
The group hacked companies by sending emails with malware-ridden Microsoft Word attachments, according to authorities. When employees opened the documents, they unwittingly unleashed a virus onto their computers that allowed the hacker group to infiltrate the company’s computer networks, according to the department.
FIN7 is highly sophisticated, the department said, with the hacker group using comprehensive methods to hack victims, such as following up the malware-ridden emails with phone calls to make the emails seem more legitimate. The group fronted as Combi Security to further disguise themselves, the Justice Department said.
The suspects have each been charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft, the department said. They were identified as Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kopakov, 30.
Hladyr is currently detained in Seattle and is awaiting a trial set for Oct. 22, the department said. Fedorov and Kopakov are detained in Poland and Spain, respectively.
The FIN7 hacks aren’t the only major point-of-sale data breaches against U.S. companies. Target was victim to a massive hack at the end of 2013, resulting in the theft of 110 million customers’ personal data, including credit card numbers.
More recently, in September 2017, Whole Foods was hit by a point-of-sale hack that primarily affected Whole Foods’ Taproom venues.
1:10 p.m.: This article was updated with additional details about the FIN7 hacking group and previous point-of-sale hacks.
This article was originally published at 12:05 p.m.