Men plead guilty to $10 million Subway restaurant hack

Filed Under: Data loss, Featured, Law & order, Malware

Subway subTwo men have pleaded guilty to their part in a multi-million dollar scheme which saw the point-of-sale computers of hundreds of Subway restaurant stores hacked into, and the details of customers' payment cards stolen.

The men - 28-year-old Iulian Dolan, of Craiova, Romania, and Cezar Butu, 27, of Ploiesti, Romania, have admitted being part of a conspiracy to commit computer fraud according to a statement by the US Department of Justice.

The guilty pleas have been offered by the men as part of a plead-bargaining deal that should see Dolan sentenced for a maximum of seven years, and Butu to be freed within 21 months - providing a sentencing judge approves.

Dolan and Butu were part of a gang of four Romanian men arrested in December last year, after - according to the DOJ - stealing the details of more than 146,000 payment cards and inflicting more than $10 million in losses.

According to the authorities, the men identified vulnerable point-of-sale (POS) systems via the internet, and managed to gain access via vulnerable remote desktop software.

Once in place, the hackers were able to plant spyware onto the POS systems to record and store data that was keyed into or swiped through the merchants' POS systems, including credit card data.

This stolen payment card data was then siphoned off to dump sites - some located in Europe, some in the United States - from where it could be used to make unauthorised charges or to transfer funds.

According to the Department of Justice, the two Romanians claim to have been working alongside Adrian-Tiberiu Oprea, another Romanian national and the alleged ring-leader of the gang, who is currently awaiting trial in the District of New Hampshire.

Subway store. Image from Shutterstock

Of course, there's not really anything that customers of Subway could have done to avoid having their credit card data exposed by the hack - other than not shopped at Subway in the first place.

Sloppy security at the restaurant chain (with seemingly vulnerable remote desktop software on computers, with weak, guessable passwords) was enough to allow the hackers to crowbar their way in, and make away with restaurant-goers private information.

The thought of how many other public-facing firms could be similarly poorly-secured certainly leaves a nasty taste in the stomach.

Subway store image from Shutterstock.

, , , ,

You might like

7 Responses to Men plead guilty to $10 million Subway restaurant hack

  1. @richardhack · 1116 days ago

    I think consumers need to be taught to pay with cash at restaurants. We know that restaurant security sucks and that millions of credit cards have been breached through one chain or another. It's not that hard to stop off at the ATM when going out to dinner - and a foot long isn't even going to require that.

    • Mark · 1116 days ago

      I think consumers need to be taught to walk when going to restaurants. We all know that cars gets stolen, vandalized and get in accidents going to restaurants. It's not that hard to just walk.

      See how silly it sounds? The answer is not to just tell people not to use things, that is absurd. Customers are already protected against incidents like this, just like insurance protects their car. Accept it as part of life. The risk is minimal and it's much easier. Or, take your suggestion and just be a Luddite...

    • IT Professional · 1116 days ago

      In this day and age people don't like carrying money, it brings risk to themselves, if someone were to notice them withdrawing cash they might just become a target for a mugging. There are risks with both methods, there is never a sure way to make your money 100% secure.

  2. Bill · 1115 days ago

    Mark: I agree with you that we must accept that there will always be risks with any facet of life, but it was disrespectful to publicly insult Mr. Hack by calling him a Luddite. To do so would be to accuse him of fearing technological advances when that is simply not true - he used his computer to state an opinion, and he uses an ATM (which also could present a risk.) Mr. Hack's opinion is that one can avoid the vulnerabilities identified in this article if they instead use cash. In the context of the article he is right.

  3. njorl · 1115 days ago

    "leaves a nasty taste in the stomach" - another automated translation, or just a sign of biodiversity?

    I'd assumed all those POS devices were made by a small set of manufactures, with design and model samples being inspected and approved on behalf of banks that provide the head end. Now, it seems there's a published API and Mrs Miggins in the pie shop can knock up he own device and plug into the global financial system?

  4. JuHz · 1115 days ago

    I would rather carry cash and get robbed then get your identity stolen its not just about the "Money" that they steal people pay for identity thefts it might not mean much now but in the long run even traveling with family it might bite you in the ass if you travel one day in another country and your identity was used in criminal actions..... Good luck in court, and these things do happen.

  5. roy jones jr · 1112 days ago

    For the longest I stayed away from direct deposit; I told my employer to cut me checks for any supplemental payment instead of giving me a pay card. I worked in a technical job but wanted my money as far away from technology as possible. Why? This article basically sums up why. What can the victims do? What could they have done? I still carry around cash and I'll take my chances with a physical person trying to mug me than a electronic transaction I can't do anything about.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley