Federal prosecutors unsealed criminal charges against a group of hackers who allegedly breached the computer systems of more than a dozen companies including Nasdaq OMX Group Inc. (NDAQ), J.C. Penney Co. (JCP) and Carrefour S.A. (CRRFY, CA.FR), to steal personal data and, in some cases, credit-card information, resulting in the loss of "hundreds of millions of dollars."

Federal prosecutors in New Jersey, who made the charges public on Thursday, called the case the largest hacking and data breach scheme ever prosecuted in the U.S. in terms of the number of hacks and the amount of funds taken. The investigation is ongoing, they said.

The hackers allegedly stole more than 160 million credit- and debit-card numbers from retailers, credit-card companies and payment processors, as well as personal or login information from a variety of companies. More than $300 million was stolen from just three of the affected companies, according to the indictment.

Five men from the former Soviet Union--four from Russia and one from the Ukraine--have been charged as part of the alleged scheme, which began in 2005 and ran through last summer, prosecutors said. Two of them were arrested at the request of the U.S. government while they were traveling in the Netherlands, while the other three are considered fugitives.

Cybercrime has been a growing concern for prosecutors in the U.S. and around the world in the past few years as hacking groups have become more brazen in their infiltrations of government websites and secure financial systems. Hacking groups have been successful in carting away millions of dollars in just a matter of hours with little more than a computer and a handful of stolen card numbers.

"This type of crime is the cutting edge," said Paul Fishman, the U.S. attorney in New Jersey. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day."

According to the New Jersey indictment, members of the conspiracy "scouted" potential victims, including visiting retail stores in 2007 and in 2008 in order to identify their payment processing systems. In other cases, the indictment alleges, the hackers installed software on the corporate computer systems so that they could create "back doors' giving them access to the systems at a later date.

The indictment says the hackers would get large amounts of data from the corporate computers and then sell the information. Prices ranged from about $10 for each stolen American credit-card number, $50 for each European number and $15 for the Canadian variety.

The scheme unveiled on Thursday allegedly targeted computer systems at a variety of companies, including Nasdaq, French retailer Carrefour, J.C. Penney and 7-Eleven Inc., JetBlue Airways Corp. (JBLU) and a Jordan company that processed payments for merchants using Visa Inc.'s network. Dow Jones Inc., a unit of News Corp (NWS, NWSA, NNC.AU) and the publisher of this newswire, also was an alleged victim in 2009 of the scheme, according to the indictment.

Nasdaq, Carrefour, 7-Eleven and J.C. Penney declined comment. JetBlue said that the company has since replaced an older computer information system that was breached and has fully cooperated in the operation.

"There is no evidence that Dow Jones or Wall Street Journal customer information was compromised as a result of these breaches," a Dow Jones spokeswoman said. "The security of our systems and data remains of the utmost importance to Dow Jones and we treat any attempts by external parties to breach our network extremely seriously. We worked closely with the authorities in this matter and as a result significantly strengthened our network."

While the hackers allegedly were able to penetrate Nasdaq's computer network and access the trading history of specific securities, the servers powering Nasdaq's exchanges were not compromised, according to a person with knowledge of the exchange's systems. The identity of specific traders was not accessed by the hackers, the person said.

Nasdaq's so-called SQL servers, which run on a different operating system than those running the company's markets, maintain various public-facing websites listing share prices and provide forums for investor discussions, according to the person. The hackers purportedly got onto a Nasdaq network of about 30 such servers, gaining log-in information by tricking a site set up to remind site users of forgotten passwords.

Cyberattacks are an increasing headache for exchange operators, whose websites are often attacked as symbols of Wall Street and capitalism. In 2010 hackers penetrated Nasdaq's Directors Desk website, set up for members of corporate boards to share documents, spurring a Secret Service investigation.

Cybersecurity is "something we deal with all day, every day," said Nasdaq OMX CEO Bob Greifeld in an interview Wednesday. "We have to ensure we've securitized each and every one of our systems, how our systems relate to each other, and the core infrastructure that supports those systems."

The first criminal charges in the New Jersey case were filed in 2009 against two of the defendants--Alexandr Kalinin and Vladimir Drinkman--but weren't made public until Thursday. It isn't unusual for criminal charges to be filed under seal while an investigation is ongoing, and made public years later.

The men were allegedly associated with Albert Gonzalez, a Miami man who was sentenced to 20 years in prison in 2010, the longest term ever imposed in a U.S. hacking case. Mr. Gonzalez was described as an alleged co-conspirator in the indictment.

The probe began in 2007 following a cyber attack on Heartland Payment Systems Inc. (HPY), one of the world's largest credit- and debit-card processors, prosecutors said. The attack resulted in the theft of about 130 million card numbers and losses of about $200 million, according to the indictment. A Heartland spokesman didn't immediately respond to a request for comment Thursday.

Mr. Drinkman, 32 years old, and another co-defendant, Dmitriy Smilianets, 29, were arrested in the Netherlands in June 2012. Mr. Smilianets has been extradited to the U.S. and is expected to federal court in New Jersey at a later date. Lawyers for Messrs. Drinkman Smilianets didn't immediately respond to requests for comment Thursday.

Three others in the New Jersey case--Mr. Kalinin, Roman Kotov and Mikhail Tytikov-- are considered fugitives, according to prosecutors. Lawyers for Messrs. Kalinin, Kotov and Tytikov couldn't immediately be located for comment. They face a variety of charges, including carrying out a computer-hacking conspiracy, conspiracy to commit wire fraud and unauthorized computer access.

Mr. Kalinin, who is considered a fugitive, also has been separately charged by federal prosecutors in Manhattan in two additional schemes: one to hack Nasdaq's servers and another to steal information related to more than 800,000 bank accounts, resulting in the theft of more than $7.8 million.

A sixth man, Nikolay Nasenkov, also was charged in the alleged bank scheme in the federal complaint by Manhattan prosecutors. Mr. Nasenkov is believed to be at large and a lawyer for Mr. Nasenkov couldn't immediately be located for comment.

--Reed Albergotti and Jacob Bunge contributed to this report.

Write to Chad Bray at chad.bray@wsj.com

Subscribe to WSJ: http://online.wsj.com?mod=djnwires

JetBlue Airways (NASDAQ:JBLU)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more JetBlue Airways Charts.
JetBlue Airways (NASDAQ:JBLU)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more JetBlue Airways Charts.