U.S. prosecutors have charged five foreign nationals with payment card theft resulting in more than $300 million (USD) in losses for companies in the U.S. and in Europe in what they described as the country's largest hacking fraud case in history.
Victims include Visa, Dow Jones and J.C. Penney.
"This type of crime is really the cutting edge of financial fraud," said Paul Fishman, U.S. Attorney for the district of New Jersey.
"Those who have the expertise and inclination to break into out computer networks, threaten our economic well being, our privacy and ultimately our national security. And as this case shows, there is a real practical cost because these types of frauds increase the cost of doing business for everyone in America, every consumer, everyday. We cannot be too vigilante and we cannot be too careful," added Fishman.
The indictment named four men residing in Russia and one man in Ukraine.
In addition to payment car theft, charges in the indictment included allegations that the defendants stole log-in credentials from Nasdaq after playing malicious software on the company's computers around May 2007. A spokesman for Nasdaq could not immediately be reached for comment.
The indictment said that from about August 2005 through at least July 2012 the five men and four co-conspirators ran a high-profile hacking ring that was responsible for several of the largest known data breaches to date.
Prosecutors said they conservatively estimate that the group stole at least 160 million credit card numbers, resulting in losses in excess of $300 million.
The hacking ring sold the payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards that are used to purchase goods or withdraw money from ATMs in what is known as a debit card dump.
"We frequently bring prosecution of the people who use the fruits of this kind of crime, such as organizations of runners and cashers who go from ATM or store-to-store with stolen credit card information and cash out millions of dollars in a matter of hours," said Fishman.
"The individuals charged and arrested in this case are the ones at the top, the ones who steal the data that they sell to the folks that 'cash out.' By arresting two of the key players and identifying three of the others, we believe we have taken a major step towards dismantling this organization," added Fishman.
Among the breaches cited in the case, prosecutors charged that they took approximately 30 million payment card numbers from British payment processor Commidea Ltd in 2008 and 800,000 card numbers from Visa licensee Visa Jordan in 2011.