Three charged as part of global hacking ring that stole millions of account numbers from chains
Three Ukrainian nationals have been arrested in the theft of more than 15 million credit and debit card numbers from point-of-sale terminals at Chipotle Mexican Grill, Arby’s and other retail and hospitality chains, federal authorities said Wednesday.
The three men are high-ranking members of an international hacking group known as FIN7 that gathered the numbers collected from more than 6,500 terminals at more than 3,600 separate business locations since 2015, the Justice Department alleges.
“The naming of these FIN7 leaders marks a major step toward dismantling this sophisticated criminal enterprise,” said Jay S. Tabb Jr., special agent in charge of the FBI’s Seattle office.
Companies that have previously publicly disclosed hacks attributable to FIN7 include such familiar chains as Chili’s, Red Robin and Jason’s Deli. The Emerald Queen Hotel and Casino near Tacoma, Wash., and other unidentified resorts and hotels were victimized, the prosecutors said. Additional intrusions were alleged to have occurred abroad, including in Britain, Australia and France.
The group hacked companies by sending emails with malware-ridden Microsoft Word attachments, prosecutors said. When employees opened the documents, they unwittingly unleashed a virus onto their computers that allowed the hacker group to infiltrate the company’s computer networks.
Prosecutors said FIN7 is highly sophisticated and used elaborate methods. The emails were typically sent to specific individuals and might be posed as requests for catering orders when targeting restaurants, or as reservation inquiries for hotels. The hackers might follow up with phone calls to make the emails seem more legitimate.
The FIN7 hacks aren’t the only major point-of-sale data breaches against U.S. companies. Target was victim to a massive hack at the end of 2013, resulting in the theft of 110 million customers’ personal data, including credit card numbers.
More recently, in September 2017, Whole Foods was hit by a point-of-sale hack that primarily affected Whole Foods’ Taproom venues.
Martin Minnich, program manager at Cal Poly San Luis Obispo’s California Cybersecurity Institute, said the latest arrests show how hacking threats are growing increasingly common and more sophisticated.
“Threat factors are evolving and changing very quickly. It’s the same way a cold or virus does. That’s now happening on the digital frontier,” said Martin, who added that companies need to do more to combat the scams.
“It’s about performing annual audits and looking for antiquated systems. You can’t be everywhere all the time, but if you’re not adapting as these threats are adapting, you’re going to get left behind,” he said.
Bugcrowd, a San Francisco cybersecurity firm, is employed by companies to detect software vulnerabilities by trying to hack into their systems.
Alyssa Habing, an account manager at the firm, said food industry companies “weren’t necessarily on the forefront” of cyber safety but are improving.
“Some industries are moving faster than others. Obviously the companies that have invested in bigger IT teams are moving faster,” she said.
The suspects have each been charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft, the department said. They were identified as Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kopakov, 30.
Hladyr is detained in Seattle and is awaiting a trial set for Oct. 22, the department said. Fedorov and Kopakov are detained in Poland and Spain, respectively.
UPDATES:
3:25 p.m.: This article has been updated with more comments from cybersecurity experts.
1:10 p.m.: This article was updated with additional details about the FIN7 hacking group and previous point-of-sale hacks.
This article was originally published at 12:05 p.m.
