Federal prosecutors unsealed criminal charges against a group of
hackers who allegedly breached the computer systems of more than a
dozen companies including Nasdaq OMX Group Inc. (NDAQ), J.C. Penney
Co. (JCP) and Carrefour S.A. (CRRFY, CA.FR), to steal personal data
and, in some cases, credit-card information, resulting in the loss
of "hundreds of millions of dollars."
Federal prosecutors in New Jersey, who made the charges public
on Thursday, called the case the largest hacking and data breach
scheme ever prosecuted in the U.S. in terms of the number of hacks
and the amount of funds taken. The investigation is ongoing, they
said.
The hackers allegedly stole more than 160 million credit- and
debit-card numbers from retailers, credit-card companies and
payment processors, as well as personal or login information from a
variety of companies. More than $300 million was stolen from just
three of the affected companies, according to the indictment.
Five men from the former Soviet Union--four from Russia and one
from the Ukraine--have been charged as part of the alleged scheme,
which began in 2005 and ran through last summer, prosecutors said.
Two of them were arrested at the request of the U.S. government
while they were traveling in the Netherlands, while the other three
are considered fugitives.
Cybercrime has been a growing concern for prosecutors in the
U.S. and around the world in the past few years as hacking groups
have become more brazen in their infiltrations of government
websites and secure financial systems. Hacking groups have been
successful in carting away millions of dollars in just a matter of
hours with little more than a computer and a handful of stolen card
numbers.
"This type of crime is the cutting edge," said Paul Fishman, the
U.S. attorney in New Jersey. "Those who have the expertise and the
inclination to break into our computer networks threaten our
economic well-being, our privacy, and our national security. And
this case shows there is a real practical cost because these types
of frauds increase the costs of doing business for every American
consumer, every day."
According to the New Jersey indictment, members of the
conspiracy "scouted" potential victims, including visiting retail
stores in 2007 and in 2008 in order to identify their payment
processing systems. In other cases, the indictment alleges, the
hackers installed software on the corporate computer systems so
that they could create "back doors' giving them access to the
systems at a later date.
The indictment says the hackers would get large amounts of data
from the corporate computers and then sell the information. Prices
ranged from about $10 for each stolen American credit-card number,
$50 for each European number and $15 for the Canadian variety.
The scheme unveiled on Thursday allegedly targeted computer
systems at a variety of companies, including Nasdaq, French
retailer Carrefour, J.C. Penney and 7-Eleven Inc., JetBlue Airways
Corp. (JBLU) and a Jordan company that processed payments for
merchants using Visa Inc.'s network. Dow Jones Inc., a unit of News
Corp (NWS, NWSA, NNC.AU) and the publisher of this newswire, also
was an alleged victim in 2009 of the scheme, according to the
indictment.
Nasdaq, Carrefour, 7-Eleven and J.C. Penney declined comment.
JetBlue said that the company has since replaced an older computer
information system that was breached and has fully cooperated in
the operation.
"There is no evidence that Dow Jones or Wall Street Journal
customer information was compromised as a result of these
breaches," a Dow Jones spokeswoman said. "The security of our
systems and data remains of the utmost importance to Dow Jones and
we treat any attempts by external parties to breach our network
extremely seriously. We worked closely with the authorities in this
matter and as a result significantly strengthened our network."
While the hackers allegedly were able to penetrate Nasdaq's
computer network and access the trading history of specific
securities, the servers powering Nasdaq's exchanges were not
compromised, according to a person with knowledge of the exchange's
systems. The identity of specific traders was not accessed by the
hackers, the person said.
Nasdaq's so-called SQL servers, which run on a different
operating system than those running the company's markets, maintain
various public-facing websites listing share prices and provide
forums for investor discussions, according to the person. The
hackers purportedly got onto a Nasdaq network of about 30 such
servers, gaining log-in information by tricking a site set up to
remind site users of forgotten passwords.
Cyberattacks are an increasing headache for exchange operators,
whose websites are often attacked as symbols of Wall Street and
capitalism. In 2010 hackers penetrated Nasdaq's Directors Desk
website, set up for members of corporate boards to share documents,
spurring a Secret Service investigation.
Cybersecurity is "something we deal with all day, every day,"
said Nasdaq OMX CEO Bob Greifeld in an interview Wednesday. "We
have to ensure we've securitized each and every one of our systems,
how our systems relate to each other, and the core infrastructure
that supports those systems."
The first criminal charges in the New Jersey case were filed in
2009 against two of the defendants--Alexandr Kalinin and Vladimir
Drinkman--but weren't made public until Thursday. It isn't unusual
for criminal charges to be filed under seal while an investigation
is ongoing, and made public years later.
The men were allegedly associated with Albert Gonzalez, a Miami
man who was sentenced to 20 years in prison in 2010, the longest
term ever imposed in a U.S. hacking case. Mr. Gonzalez was
described as an alleged co-conspirator in the indictment.
The probe began in 2007 following a cyber attack on Heartland
Payment Systems Inc. (HPY), one of the world's largest credit- and
debit-card processors, prosecutors said. The attack resulted in the
theft of about 130 million card numbers and losses of about $200
million, according to the indictment. A Heartland spokesman didn't
immediately respond to a request for comment Thursday.
Mr. Drinkman, 32 years old, and another co-defendant, Dmitriy
Smilianets, 29, were arrested in the Netherlands in June 2012. Mr.
Smilianets has been extradited to the U.S. and is expected to
federal court in New Jersey at a later date. Lawyers for Messrs.
Drinkman Smilianets didn't immediately respond to requests for
comment Thursday.
Three others in the New Jersey case--Mr. Kalinin, Roman Kotov
and Mikhail Tytikov-- are considered fugitives, according to
prosecutors. Lawyers for Messrs. Kalinin, Kotov and Tytikov
couldn't immediately be located for comment. They face a variety of
charges, including carrying out a computer-hacking conspiracy,
conspiracy to commit wire fraud and unauthorized computer
access.
Mr. Kalinin, who is considered a fugitive, also has been
separately charged by federal prosecutors in Manhattan in two
additional schemes: one to hack Nasdaq's servers and another to
steal information related to more than 800,000 bank accounts,
resulting in the theft of more than $7.8 million.
A sixth man, Nikolay Nasenkov, also was charged in the alleged
bank scheme in the federal complaint by Manhattan prosecutors. Mr.
Nasenkov is believed to be at large and a lawyer for Mr. Nasenkov
couldn't immediately be located for comment.
--Reed Albergotti and Jacob Bunge contributed to this
report.
Write to Chad Bray at chad.bray@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires