A hacking group caused more than $1 billion in damages after stealing customers’ financial information from some of the biggest chains in the country, like Chipotle, Chili’s, Arby’s, Red Robin, and Jason’s Deli.
At Chipotle, the action occurred in 2017, according to the company.
Known as FIN7, the hackers breached computer networks in all 50 states and Washington, D.C. and stole more than 20 million debit and credit card records from more than 6,500 POS terminals at more than 3,600 locations. Intrusions also occurred in the U.K., Australia, and France.
Since at least 2015, FIN7—also known as Carbanak Group and the Navigator Group—used a malware campaign to attack U.S. companies in the restaurant, gambling, and hospitality industries. The group crafted email messages that appeared genuine to employees and accompanied those messages with phone calls to further legitimize the email. Once a file attached to the fraudulent email was opened and activated, FIN7 used its malware to steal payment card data from the business’ customers. Many of the stolen numbers have been up for sales through online underground marketplaces.
Three members of FIN7 have been charged in the U.S. thus far. Denys Iarmak was sentenced to five years on Wednesday in the U.S. Attorney’s Office’s Western District of Washington. In April 2021, Fedir Hladyr was sentenced to 10 years and in June 2021 Andrii Kolpakov was given seven years.
“Iarmak and his conspirators compromised millions of financial accounts, causing over a billion dollars in losses to Americans and costs to America’s economy,” Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division said in a statement. “Protecting businesses—both large and small—online is a top priority for the Department of Justice. We are committed to working with our international partners to hold such cyber criminals accountable, no matter where they live or how anonymous they think they are.”
The crimes were investigated by the FBI’s Seattle Cyber Task Force. Other organizations providing assistance include, the Justice Department’s Office of International Affairs, the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, and FBI offices across the nation and world.
Multiple restaurant chains have been involved in major cyberattacks within the past year.
In June 2021, McDonald’s revealed hackers stole contact information of U.S. employees and franchisees and other details like seating capacity and square footage of restaurants. In South Korea and Taiwan, the group captured emails, phone numbers, and addresses of delivery customers. Nearly six months later, California Pizza Kitchen reported the names and Social Security numbers of nearly 104,000 current and former employees had been exposed.