The software stored the captured data in a log file, from which it was later collected by Yastremskiy and Suvorov, according to the indictment. The document says that a defect in the packet sniffer caused it to deactivate each time an infected server was booted up. But each time that happened, Yastremskiy and Suvorov allegedly went back into the compromised systems and reactivated the malware.
As an example of the thefts, the indictment says that a log file retrieved from one store contained data on about 5,000 credit and debit cards. The stolen data allegedly was later sold to other individuals, who used the information or resold it themselves -- eventually causing losses of US$600,000 or more to the financial institutions that issued the affected cards.
The disclosure by Dave & Buster's follows similar ones in March by Hannaford Bros. and Okemo Mountain Resort. In Hannaford's case, the US-based supermarket chain said that up to 4.2 million credit and debit card numbers and their expiration dates were stolen by a packet-sniffing tool while the information was being transmitted to its external payment processor to authorize transactions. The malware was planted on servers at nearly 300 grocery stores in New England, New York and Florida, Hannaford said.
The Hannaford breach was one of the first confirmed data thefts in which such a large amount of information was stolen while it was in transit, as opposed to being stored on a company's systems. Hannaford also said it was fully compliant with the requirements of the Payment Card Industry Data Security Standard, which is known informally as PCI. That claim has raised questions about how useful the security standard is in protecting companies against such thefts, although PCI officials in turn have questioned whether Hannaford really was compliant.
Two weeks after Hannaford made its disclosure, US-based Okemo reported a breach involving the theft of data as payment cards were being swiped at the ski area's cash registers. An Okemo spokeswoman said law enforcement authorities who were investigating the breach told the resort that they were are looking into about 50 reported incidents of the same sort in the Northeast alone.
The disclosure by Dave & Buster's is another indication that data thieves are increasingly targeting retail POS systems, said Rosen Sharma, chief technology officer at Solidcore Systems, a vendor of change management software.
The focus of efforts such as PCI has been on strengthening security at the network perimeter and at the points where payment card data is centrally pooled by retailers and then forwarded to payment processors, Sharma said. He added that in contrast, a lower priority has been placed on securing POS systems, making them a relatively soft target for attackers to go after.
At many retail locations, there are few restrictions on access to POS servers, Sharma claimed. "You can walk right up to these machines and stick a USB device into them," he said. The POS servers may not yield a large volume of payment card data at one time, he noted -- but over a longer period, they can prove extremely valuable to data thieves.