Men plead guilty to $10 million Subway restaurant hack

Graham Cluley
Graham Cluley
@[email protected]

Subway subTwo men have pleaded guilty to their part in a multi-million dollar scheme which saw the point-of-sale computers of hundreds of Subway restaurant stores hacked into, and the details of customers’ payment cards stolen.

The men – 28-year-old Iulian Dolan, of Craiova, Romania, and Cezar Butu, 27, of Ploiesti, Romania, have admitted being part of a conspiracy to commit computer fraud according to a statement by the US Department of Justice.

The guilty pleas have been offered by the men as part of a plead-bargaining deal that should see Dolan sentenced for a maximum of seven years, and Butu to be freed within 21 months – providing a sentencing judge approves.

Dolan and Butu were part of a gang of four Romanian men arrested in December last year, after – according to the DOJ – stealing the details of more than 146,000 payment cards and inflicting more than $10 million in losses.

Sign up to our free newsletter.
Security news, advice, and tips.

According to the authorities, the men identified vulnerable point-of-sale (POS) systems via the internet, and managed to gain access via vulnerable remote desktop software.

Once in place, the hackers were able to plant spyware onto the POS systems to record and store data that was keyed into or swiped through the merchants’ POS systems, including credit card data.

This stolen payment card data was then siphoned off to dump sites – some located in Europe, some in the United States – from where it could be used to make unauthorised charges or to transfer funds.

According to the Department of Justice, the two Romanians claim to have been working alongside Adrian-Tiberiu Oprea, another Romanian national and the alleged ring-leader of the gang, who is currently awaiting trial in the District of New Hampshire.

Subway store. Image from Shutterstock

Of course, there’s not really anything that customers of Subway could have done to avoid having their credit card data exposed by the hack – other than not shopped at Subway in the first place.

Sloppy security at the restaurant chain (with seemingly vulnerable remote desktop software on computers, with weak, guessable passwords) was enough to allow the hackers to crowbar their way in, and make away with restaurant-goers private information.

The thought of how many other public-facing firms could be similarly poorly-secured certainly leaves a nasty taste in the stomach.

Subway store image from Shutterstock.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.