Click here to access the main News page and view a listing of all available articles.

Ukrainian Indicted On Charges Of Data Theft
Boston Globe - 05/14/08

A Ukrainian man tied to the theft of credit-card data from Framingham retailer TJX Cos. has been indicted in connection with a separate theft of payment information involving a national restaurant chain.

According to papers unsealed Monday in US District Court in Long Island, Maksym Yastremskiy and an accomplice were charged with hacking from overseas into computerized cash registers of the Dave & Buster's Inc. restaurant chain to obtain customer payment card numbers.

Yastremskiy also is believed to have resold payment card numbers obtained in the TJX breach by officials at the US Postal Inspection Service, though Justice Department and Secret Service officials have declined to discuss it. Involving as many as 100 million card numbers and first disclosed at the start of last year, the TJX case remains the largest loss of data on record and has led to renewed security efforts by banks, merchants, and card networks.

TJX wasn't mentioned in the Long Island indictment, but in a separate affidvait a Secret Service agent stated Yastremskiy was arrested last year in Turkey "based, in part, on charges of trafficking in stolen credit-card numbers, brought in the Southern District of California." The complaint also states a hacking tool apparently used in the restaurant case was similar to one used "in a prior intrusion of a major retailer" in 2005, a description that would fit the TJX case.

Dated March 12 and unsealed Monday, the indictment and an accompanying Justice Department statement allege Yastremskiy and an accomplice compromised the computer network of Dave & Buster's, a Dallas-based chain with one restaurant at the Providence Place mall in Rhode Island.

That location wasn't affected, the company said, though restaurants in New York, Colorado, Michigan, Illinois, Ohio, Florida, and Texas were. The chain said it first learned of the breach in August 2007 and immediately alerted the Secret Service, but did not provide more detail about how the breach was discovered.

The indictment states that in April 2007 Yastremskiy and the accomplice, Aleksandr Suvorov, an Estonian who went by the screen name of "JonnyHell," used international computer links to gain access to a computer server at the chain's restaurant in Arundel, Md., and installed a malicious program known as a "packet sniffer" to capture data transmissions. The attempt failed when the code malfunctioned.

The next month they tried the same approach again and targeted servers at 11 restaurants, this time with successful code, authorities say. As a result the pair was able to capture "Track 2" data from credit cards as it moved over the network, including the account numbers and expiration dates but not customer names or other personal information.

Limits in the code required the pair to continually monitor and reactivate the sniffers, the indictment states. But they were still able to harvest payment details including the numbers of 5,000 credit and debit cards used at one restaurant in Islandia, N.Y. that they sold and were used in at least $600,000 of fraudulent purchases.

The Justice Department said Yastremskiy remains in jail in Turkey "on potential violations of Turkish law," and confirmed the United States has sought his extradition. Suvorov was arrested in Germany in March and faces an extradition request.

In addition a third individual was charged in connection with the Dave & Buster's case, Albert Gonzalez of Miami, whom the Secret Service affidavit suggests supplied the sniffer code.

Ross Kerber can be reached at kerber@globe.com.

Click here to access the main News page and view a listing of all available articles.