Five Indicted Over Major Data Breach That Hit 7-Eleven, Others

Unsealed court documents show hackers hit payment processors, retailers, financial institutions

Published in CSP Daily News

WASHINGTON -- 7-Eleven Inc. was among more than a dozen companies hacked in what the U.S. Department of Justice is calling  the largest such scheme ever prosecuted in the United States. A federal indictment made public Thursday in New Jersey charges five men with conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks and stole more than 160 million credit-card numbers.

Unsealed court documents allege that as a result of the scheme, financial institutions, credit-card companies and consumers suffered hundreds of millions in losses, including more than $300 million in losses reported by just three of the corporate victims and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.

The defendants allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit. The defendants are charged with attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland Payment Systems, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. It is not alleged that the NASDAQ hack affected its trading platform.

Click here to read how they did it.

According to the second superseding indictment unsealed Thursday in Newark federal court and other court filings, the five men each served particular roles in the scheme. Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialized in penetrating network security and gaining access to the corporate victims' systems. Roman Kotov, 32, of Moscow, allegedly specialized in mining the networks Drinkman and Kalinin compromised to steal valuable data. Court documents allege that the defendants hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow, allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.

Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches--including the breach of Heartland Payment Systems Inc., which at the time was the largest breach ever reported. Gonzalez is currently serving 20 years in federal prison for those offenses.

The U.S. Attorney's Office for the Southern District of New York announced two additional indictments against Kalinin: one charges him in connection with hacking certain computer servers used by NASDAQ and a second indictment, unsealed today, charged Kalinin and another alleged Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information by hacking U.S.-based financial institutions. Rytikov was previously charged in the Eastern District of Virginia with an unrelated scheme. Kotov and Smilianets have not previously been charged publicly in the United States.

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012. Smilianets was extradited on Sept. 7, 2012, and remains in federal custody. He will appear in New Jersey federal court to be arraigned on the superseding indictment on a date to be determined. Kalinin, Kotov and Rytikov remain at large. All of the defendants are Russian nationals except for Rytikov, who is a citizen of Ukraine.

If convicted, the maximum penalties for the charged counts are: five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud. The charges and allegations contained in the indictment are merely accusations, and the defendants are considered innocent unless and until proven guilty.

A spokesperson for Dallas-based 7-Eleven Inc. told CSP Daily News that it "does not intend to comment on the matter."

U.S. Attorney Paul J. Fishman of the District of New Jersey; Acting Assistant Attorney General Mythili Raman of the Justice Department's Criminal Division; and Special Agent in Charge James Mottola of the U.S. Secret Service (USSS), Criminal Investigations, Newark, N.J., Division announced the charges. The USSS led the investigation of the indicted conspiracy.