UPDATE: Feds charge three with hacking data from Dave & Buster’s

WASHINGTON The federal government on Monday charged three suspects with hacking into computers at Dave & Buster’s units last year and stealing credit and debit card numbers.

A27-count indictment, which a federal grand jury returned on March 12 and a judge unsealed Monday in Central Islip, N.Y., charges Maksym Yastremskiy, of Kharkov, Ukraine, and Aleksandr Suvorov, of Sillamae, Estonia, with various counts of wire fraud, identity theft and intercept of electronic communications. A one-count complaint charges Albert Gonzalez of Miami with wire fraud conspiracy related to the scheme.

The indictment alleges the three hacked into cash register terminals at 11 Dave & Buster’s units in May 2007 to acquire customers’ credit and debit card information and then sold the data to others who made purchases on the accounts. Dave & Buster’s, the big-box entertainment and restaurant company based in Dallas, has 49 locations in the United States and Canada.

Dave & Busters has fully cooperated and assisted in the U.S. Secret Service investigation of the case, according to prosecutors with the U.S. attorney's office for the Eastern District of New York and the Justice Department criminal division’s computer crime and intellectual property section.

The indictment alleges that Yastremskiy, also known as Maksik, and Suvorov, known as “JonnyHell,” installed a malicious computer code called a "packet sniffer" on registers to capture communications on the company’s network. The packet sniffer was configured to capture “track 2” data, which includes the customer’s account number and card expiration date, from the magnetic strip as information moved from the restaurant's point-of-sale server through the computer system at the company's corporate headquarters to the data processor's computer system.

Dave & Buster's said in a statement on Tuesday that it was alerted to the hacking in late August 2007 and immediately contacted the U.S. Secret Service. While Dave & Buster's aided the government investigations, the company said it also retained outside security experts who identified the source of the data compromise.

The company said it has implemented additional security measures to prevent such an incident from occurring again.

The 11 stores compromised were in Westminster, Colo.; Utica, Mich.; Chicago; Columbus, Ohio; Jacksonville, Fla; the New York cities of Islandia and West Nyack; and the Texas cities of Austin, Frisco and Dallas.

Neither the company nor the government indicated the total losses that resulted from the data breach. The Justice Department said that at one restaurant the packet sniffer captured data for about 5,000 credit cards, eventually causing losses of at least $600,000 to issuing financial institutions.

Dave & Buster’s said it does not store credit or debit card numbers or customer names. Information to help in the identification of affected cardholders was provided to the credit card companies by Dave & Buster's and Chase Paymentech Solutions LLC, the company’s credit card merchant acquirer.

“As soon as we became aware of the breach in August 2007, we took steps to secure our systems and remain confident that they are safe today," said Steve King, chief executive of Dave & Buster’s. “We thank the Secret Service and the Department of Justice for their diligence in arresting and prosecuting those responsible for this crime and look forward to working closely with them during the pendency of this criminal matter.”

Yastremskiy and Suvorov both face charges of wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic

Turkish officials arrested Yastremskiy in Turkey in July 2007, and he remains in jail on potential violations of Turkish law. A formal request for extradition of Yastremskiy to the United States has been made to the Turkish government.

Yastremskiy is the key suspect in the one of the largest hacker attacks ever, the breach of the computer system of TJX Cos. Inc. of Framingham, Mass., parent to the T.J. Maxx and Marshalls retail chains. Hackers in that attack, which was revealed in January 2007, stole information on 45 million credit cards and may have resulted in $197 million in illegal purchases.

At the request of the United States, German officials arrested Suvorov in March while he was visiting that country. He remains in jail in Germany, pending German action on a formal U.S. extradition request. U.S. Secret Service officials arrested Gonzalez in Miami this month.