Cezar Butu of Romania, who pleaded guilty to taking part in hacking terminals at hundreds of U.S. Subway sandwich shops from 2009 to 2011, was sentenced this week to 21 months in prison.
Investigators eventually determined that thousands of payment cards and millions of dollars were stolen during the hacks, which Butu committed along with two other co-conspirators, according to the U.S. Department of Justice.
Butu pleaded guilty to one count of conspiracy to commit access device fraud in U.S. District Court in New Hampshire last September, while his co-conspirator Iulian Dolan also pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud. Dolan will be sentenced to a seven-year term in April, the department stated.
The pair was part of a four-man gang that remotely hacked the POS systems of more than 200 retail outlets, including 150 Subway stores, the department report says.
According to court documents, Butu and his co-conspirators used the stolen data to make unauthorized charges and fund transfers from cardholders' accounts.
According to his plea agreement, Butu also attempted to sell, or otherwise transfer, the data to others. Butu admitted to acquiring information from around 140 cardholders, the Justice Department report states.
A third alleged co-conspirator, Adrian-Tiberiu Oprea, is set to go on trial next month in district court.
At the time the breach was uncovered by law enforcement in late 2011, Gartner senior analyst and fraud expert Avivah Litan noted that the hackers were using familiar methods to make their way into the POS systems.
“It’s been going on for a couple of years now, where the bad guys get system administration access and figure out how services work from different vendors and learn which merchants buy those systems,” Litan said last year.