Russian Hackers Stole More Than 160 Million Credit Cards

Jul 25, 2013
Copyright 2017 NPR. To see more, visit http://www.npr.org/.

ROBERT SIEGEL, HOST:

Today, U.S. attorneys in New York and New Jersey unveiled indictments against a Russian and Ukrainian hacking conspiracy - more than 100 million credit and debit card numbers stolen. Authorities say it's the largest case of electronic data theft ever of comfort by U.S. law enforcement.

Joining us now with details is NPR's Steve Henn. And, Steve, just how big was this attack?

STEVE HENN, BYLINE: Actually, it was a series of attacks beginning all the way back in 2005, and collectively they were an enormous. According to investigators, this group of hackers broke into the computer networks of more than a dozen large corporations. And actually, they stole more than 160 million credit card numbers. Basically, they set up a global business selling card numbers to a group of, quote, "trusted identity theft wholesalers." And all told, these hacks eventually led to more than $300 million in losses, according to the Justice Department.

Paul Fishman, the United States district attorney, called it staggering.

SIEGEL: So, which companies and institutions were targeted by the hackers?

HENN: Well, more than a dozen, including Citibank, PNC financial were both hacked. Heartland Payment Systems and other large credit card processing companies were hacked. Also retailers like J.C. Penney, 7-Eleven - even NASDAQ, although the indictment went to pains to say that the trading platform wasn't compromised.

SIEGEL: I mean, you're talking about institutions that we assume have some kind of security. How did these attacks work?

HENN: Well, it was complicated but what was impressive was the hackers used a variety of different techniques. Sometimes they planted malware. Sometimes they attacked the corporate databases directly. And several times they actually attacked financial institutions' websites, creating programs that would guess at account passwords again and again and again, automatically, until they got a hit. In a single day in 2008, they were able to compromise more than 300,000 Citibank accounts using that technique.

SIEGEL: This went on for several years, I gather. Is it eight years or so?

HENN: Right.

SIEGEL: How do they get away with it for so long?

HENN: Well, according to investigators, these five hackers who were highly specialized and very good at what they did. Two just concentrated on breaking into corporate networks. One analyzed the data they stole. Another handled sales. Mikhail Rytikov from the Ukraine specialized in covering their tracks. He provided encryption in anonymous Web hosting services. And investigators say they were lucky to catch them. Still, though, three of them are at large.

SIEGEL: OK. Thank you, Steve.

HENN: My pleasure.

SIEGEL: That's NPR's Steve Henn. Transcript provided by NPR, Copyright NPR.