US prosecutors have launched what they say is the country’s largest ever hacking fraud case.
Five men in Russia and Ukraine have been charged with running a hacking operation that allegedly stole more than 160 million credit and debit card numbers from a number of major US companies over a period of seven years.
Losses from the thefts amounted to hundreds of millions of dollars.
Corporate victims included Nasdaq, Visa, Dow Jones and JC Penney.
Paul Fishman, US Attorney for the District of New Jersey, called the case “the largest ever hacking and data scheme breach in the United States”.
Just three of the corporate victims reported $300m (£196m) in losses, prosecutors say.
Other victims included Heartland Payment Systems, one of the world’s largest credit and debit card payment processing companies; French retailer Carrefour; Dexia Bank Belgium; and 7-Eleven.
The indictment identified the defendants as Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, all from Russia, and Mikhail Rytikov, a Ukrainian.
All five are charged with taking part in a computer hacking conspiracy and conspiracy to commit wire fraud.
Drinkman and Kalinin specialised in penetrating network security and hacking into corporate systems, prosecutors allege, while Kotov specialised in trawling through the data looking for information worth stealing.
Rytikov ran the anonymous web-hosting services that enabled the others to carry out their activities, while Smilianets sold on the stolen data and farmed out the proceeds, prosecutors say.
“This type of crime is the cutting edge,” said Mr Fishman. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security.”
One of the co-conspirators named is Albert Gonzalez, known online as “soupnazi”, who was charged along with Kalinin and Drinkman in 2009 and is already serving 20 years for corporate data hacking.
Drinkman and Smilianets are both in custody but the other three remain at large.
The attacks often involved identifying weaknesses in Structure Query Language (SQL) databases and uploading malware that gave them access to corporate networks.
“Sniffer” software then sought out and collected valuable personal data that the defendants could sell on to other criminals around the world.
Credit card numbers were sold for $15 to $50 each, prosecutors say. This stolen data could be transferred to blank cards then used to withdraw cash or make purchases.
The prosecutors said the defendants encrypted their communications and managed to disable security systems on corporate networks to prevent detection.