Two Romanian men were sentenced Wednesday to serve prison sentences for remotely hacking into hundreds of U.S. merchants' computers and stealing payment card data, the U.S. Department of Justice said.
Adrian-Tiberiu Oprea, 29, of Constanta, Romania, was sentenced to serve 15 years in prison, and Iulian Dolan, 28, of Craiova, Romania, was sentenced to serve seven years in prison during proceedings in U.S. District Court for the District of New Hampshire. The two men were charged with hacking into hundreds of point-of-sale (POS) computer systems and stealing payment card data, with co-conspirators compromising cards belonging to more than 100,000 customers, the DOJ said in a press release.
The compromises caused losses of more than US $17.5 million in unauthorized charges and remediation expenses, the DOJ said.
In May, Oprea pleaded guilty to one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud and two counts of conspiracy to commit access device fraud. In September 2012, Dolan pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud.
From 2009 to 2011, the two conspired with another Romanian resident to hack into hundreds of U.S. computers to steal payment card data, the DOJ said.
Oprea, who was the leader of the scheme, and Dolan, who was his trusted aide, first used the Internet to identify U.S.-based vulnerable POS systems, the DOJ said. After identifying a vulnerable system, Oprea and Dolan would gain access and install software programs called keystroke loggers, which recorded all of the data that was keyed into or swiped through the merchants' POS systems, including customers' payment card data.
Oprea and Dolan retrieved the card data and then electronically transferred it to various electronic storage locations, or dump sites, that Oprea had set up, the DOJ said. Oprea later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts. He also attempted to transfer the stolen payment card data to other co-conspirators.
During the conspiracy, the co-conspirators hacked into several hundred U.S. merchants' POS systems, including 250 Subway restaurant franchises, the DOJ said.