Russian Hackers Stole More Than 160 Million Credit Cards

Five men living in Russia and the Ukraine targeted more than a dozen companies in a data breach that prosecutors describe as one of the largest ever uncovered. The scheme, in which the men allegedly stole credit card numbers and customers' log-in credentials and then sold them on the black market, resulted in hundreds of millions of dollars in losses, according to the indictment.

Copyright © 2013 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

ROBERT SIEGEL, HOST:

Today, U.S. attorneys in New York and New Jersey unveiled indictments against a Russian and Ukrainian hacking conspiracy - more than 100 million credit and debit card numbers stolen. Authorities say it's the largest case of electronic data theft ever of comfort by U.S. law enforcement.

Joining us now with details is NPR's Steve Henn. And, Steve, just how big was this attack?

STEVE HENN, BYLINE: Actually, it was a series of attacks beginning all the way back in 2005, and collectively they were an enormous. According to investigators, this group of hackers broke into the computer networks of more than a dozen large corporations. And actually, they stole more than 160 million credit card numbers. Basically, they set up a global business selling card numbers to a group of, quote, "trusted identity theft wholesalers." And all told, these hacks eventually led to more than $300 million in losses, according to the Justice Department.

Paul Fishman, the United States district attorney, called it staggering.

SIEGEL: So, which companies and institutions were targeted by the hackers?

HENN: Well, more than a dozen, including Citibank, PNC financial were both hacked. Heartland Payment Systems and other large credit card processing companies were hacked. Also retailers like J.C. Penney, 7-Eleven - even NASDAQ, although the indictment went to pains to say that the trading platform wasn't compromised.

SIEGEL: I mean, you're talking about institutions that we assume have some kind of security. How did these attacks work?

HENN: Well, it was complicated but what was impressive was the hackers used a variety of different techniques. Sometimes they planted malware. Sometimes they attacked the corporate databases directly. And several times they actually attacked financial institutions' websites, creating programs that would guess at account passwords again and again and again, automatically, until they got a hit. In a single day in 2008, they were able to compromise more than 300,000 Citibank accounts using that technique.

SIEGEL: This went on for several years, I gather. Is it eight years or so?

HENN: Right.

SIEGEL: How do they get away with it for so long?

HENN: Well, according to investigators, these five hackers who were highly specialized and very good at what they did. Two just concentrated on breaking into corporate networks. One analyzed the data they stole. Another handled sales. Mikhail Rytikov from the Ukraine specialized in covering their tracks. He provided encryption in anonymous Web hosting services. And investigators say they were lucky to catch them. Still, though, three of them are at large.

SIEGEL: OK. Thank you, Steve.

HENN: My pleasure.

SIEGEL: That's NPR's Steve Henn.

Copyright © 2013 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Support comes from: