Federal prosecutors on Thursday brought what they called the largest hacking and data breach case in the country, charging five people with running an organization that hacked the computer networks of more than a dozen corporations, stealing and selling at least 160 million credit and debit card numbers.
The scheme was run by four Russian nationals and a Ukrainian, said the prosecutors, who announced the indictments in Newark, N.J. Paul Fishman, the U.S. attorney for the District of New Jersey, said losses ran into the hundreds of millions of dollars.
“The losses in this case are staggering,” Fishman said at a news conference in Newark. “This type of crime is really the cutting edge of financial fraud.”
The victims in the scheme, which prosecutors said ran from 2005 until last year, included Visa; JCPenney; 7-Eleven; JetBlue; Heartland Payment Systems, one of the world’s largest credit and debit processing companies; and the French retailer Carrefour. A separate case involving one of the defendants and the Nasdaq stock exchange was filed by the U.S. attorney for the Southern District of New York.
“The defendants and their co-conspirators penetrated the secure computer networks of several of the largest payment processing companies, retailers, and financial institutions in the world, and stole the personal identifying information of others such as user names and passwords,” prosecutors said.
The defendants were identified as Vladimir Drinkman, Alexander Kalinin, Roman Kotov and Dmitriy Smilianets of Russia and Mikhail Rytikov of Ukraine. Drinkman is in custody in the Netherlands and Smilianets is in custody in the United States. The whereabouts of the other three was unclear.
The attacks underscore the broader threat that hacking poses to a financial system that is almost entirely reliant on networked communications.
In the Nasdaq case, Kalinin is accused of hacking into the servers used by the exchange.
From November 2008 through October 2010, he installed malicious software, or malware, on servers that allowed him to delete, change or steal data, according to the indictment unsealed Thursday. The infected servers did not include the platform for securities trading.