Eight indicted for $9 million hack
A U.S. grand jury in Atlanta has indicted eight people related to hacking into a computer network operated by credit-card processing vendor RBS WorldPlay and stealing US$9 million.
Indicted Tuesday were Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person known only as Hacker 3. They were charged in a 16-count indictment of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft.
Also indicted in U.S. District Court for the Northern District of Georgia were Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33, each of Tallinn, on a charge each of access device fraud.
The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards, which are used by companies to pay employees. Using a payroll debit card, employees are able to withdraw their regular salaries from an ATM.
Once the encryption on the card-processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of so-called "cashers" with 44 counterfeit payroll debit cards, the U.S. Department of Justice said. Those counterfeit cards ere used to withdraw more than $9 million from more than 2,100 ATMs in about 280 cities worldwide, including cities in the U.S., Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.
The $9 million loss happened in less than 12 hours last November.
The hackers then allegedly sought to destroy data stored on the card-processing network in order to conceal their hacking activity, the DOJ said. The indictment alleges that the cashers were allowed to keep 30 percent to 50 percent of the stolen funds, but transmitted the rest of the funds back to Tsurikov, Pleshchuk and other co-defendants. After discovering the unauthorized activity, RBS WorldPay, a division of the Royal Bank of Scotland, immediately reported the breach.
Several overseas law-enforcement agencies cooperated in the investigation. Estonian Central Criminal Police apprehended Tsurikov, Ronald Tsoi, Evelin Tsoi and Jevgenov in Estonia earlier this year. Each is facing related charges in Estonia. Tsurikov is also in custody in Estonia and is pending extradition to the U.S.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
U.S. Department of Justice
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
