US charges five in biggest credit card hacking case

BOSTON (REUTERS) - Prosecutors in the United States have charged five men with payment card theft resulting in more than US$300 million (S$378 million) in losses for companies in the US and Europe in what they described as the country's largest hacking fraud case in history.

Victims include Nasdaq OMX Group, Visa , Dow Jones, JC Penney, JetBlue Airways and Carrefour, prosecutors said as they announced the indictments on Thursday.

The indictment named four men residing in Russia and one man in Ukraine. It also cited Albert Gonzalez as a co-conspirator. He is serving 20 years in federal prison after pleading guilty to helping mastermind one of the biggest hacking fraud schemes in US history, helping steal millions of credit and debit cards. It was not immediately clear how those cases overlapped with the ones announced on Thursday.

In additional to payment car theft, charges in the indictment included allegations that the defendants stole log-in credentials from Nasdaq after playing malicious software on the company's computers around May 2007. A spokesman for Nasdaq could not immediately be reached for comment.

Mr Mark Rasch, a former federal cyber crimes prosecutor, told Reuters that the arrests show that law enforcement is making progress in identifying those responsible for major cyber crimes.

"They involve dozens or even hundreds of people huddled over computer terminals all over the world in a common purpose of stealing of disseminating credit card numbers," said Mr Rasch, who was not involved in bringing the case.

The indictment said from about August 2005 through at least July last year, the five men and four co-conspirators ran a high-profile hacking ring that was responsible for several of the largest known data breaches to date.

Prosecutors said they conservatively estimate that the group stole at least 160 million credit card numbers, resulting in losses in excess of US$300 million.

The hacking ring sold the payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards that are used to purchase goods or withdraw money from ATMs in what is known as a debit card dump.

Among the breaches cited in the case, prosecutors charged that the group was responsible for the theft of more than 130 million credit card numbers from US payment processor Heartland Payment Systems beginning in December 2007, resulting in approximately US$200 million of losses.

It charged that they took approximately 30 million payment card numbers from British payment processor Commidea in 2008 and 800,000 card numbers from Visa's licensee Visa Jordan in 2011.

An attack on Global Payment Systems that begin in about January 2011 resulted in the theft of more than 950,000 cards and losses of about US$93 million, according to the indictment. It charged the ring with stealing approximately 2 million credit card numbers from French retailer Carrefour, beginning as early as October 2007 and 4.2 million card numbers from US grocer Hannaford Brothers, a unit of Delhaize Group.

It said the theft of card numbers from Dexia Bank Belgium resulted in US$1.7 million in losses