US restaurant chain served up payment card data to hackers

Dave & Buster's discloses data thefts from last year after grand jury indicts three in case
Page:

In the third data theft incident of its kind to come to light since March, US-based restaurant chain Dave & Buster's Tuesday disclosed that credit and debit card numbers were stolen last year from the computer systems at 11 of its locations during the card verification process.

The thefts at Dave & Buster's took place during a four-month period from May through August of last year and have resulted in fraudulent payment card transactions worth at least US$600,000 using data stolen from one of the restaurants alone, according to a federal grand jury indictment of three individuals that was unsealed yesterday at U.S. District Court in Central Islip, N.Y.

The US Department of Justice said in a statement (download PDF) that the three alleged perpetrators -- two of whom are listed as living in Eastern Europe -- have all been arrested in connection with the case and that they are charged with various crimes as part of the indictment.

The DOJ identified the arrested individuals as Maksym Yastremskiy, a resident of Ukraine, and Aleksandr Suvorov, of Estonia. The 27-count indictment against the two includes charges of computer fraud, wire fraud, aggravated identity theft and interception of electronic communications.

Yastremskiy, who also goes by the name Maksik, was arrested last July in Turkey, the DOJ said, adding that the US government has made a formal request to have him extradited. Suvorov, who uses the online handle JohnnyHell, was arrested in March in Germany at the request of US officials and remains in jail there while the German government acts on a formal extradition request, the DOJ said.

The third individual charged in the Dave & Buster's case was identified as Albert Gonzalez, a Miami resident who faces one count of wire fraud. The DOJ said that Gonzalez, who uses the alias Segvec, was arrested this month by the US Secret Service.

In a statement sent via e-mail in response to a request for comment, Dave & Buster's said that the alleged thieves stole the so-called Track 2 data from the magnetic stripes on the back of credit and debit cards, including the card numbers and expiration dates. The company said that the information hadn't been stored on its systems and was taken while the data was being transmitted to authorize transactions. It noted that the thieves didn't get any other personal data, such as names, addresses, PINs, or bank account and Social Security numbers.

In the statement, which was posted on the Restaurant News Resource Web site, Dave & Buster's said that it "was alerted to the potential data intrusion" late last August and that it "immediately" notified Secret Service officials. The company added that it notified the credit card companies of affected cardholders last September. But the data thefts weren't publicly disclosed until after the unsealing of the grand jury indictment.

Dave & Buster's, which operates 49 restaurants, said data was stolen from outlets in New York, Illinois, Michigan, Florida, Ohio, Colorado and Texas. Following the discovery of the data thefts, the chain "implemented additional security measures to prevent any such incident from occurring in the future," it said. But the company didn't elaborate on what those additional measures were.

According to a description of the heist in the grand jury's indictment, Yastremskiy and Suvorov allegedly managed to gain remote access to point of sale (POS) servers at the affected Dave & Buster's locations -- apparently by falsely representing that they were authorized to access the systems. The two then allegedly installed packet-sniffing software designed to capture Track 2 data as it was transferred from compromised POS servers to a central system for transmission to the chain's payment processor.

Page:
More about: Department of Justice, DOJ, Financial Institutions, Sniffer, US Department of Justice, VIA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/235/softperfect-network-protocol-analyzer/

SoftPerfect Network Protocol Analyzer

Publisher's notes: SoftPerfect Network Protocol Analyzer is an advanced, professional tool for analyzing, debugging, maintaining and monitoring local networks and Internet connections. It captures the ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia