The scheme was run by four Russian nationals and a Ukrainian, said the United States attorney for the District of New Jersey, Paul J. Fishman, who announced the indictments in Newark.
The victims in the scheme, which prosecutors said ran from 2005 until last year, included J. C. Penney; 7-Eleven; JetBlue; Heartland Payment Systems, one of the world’s largest credit and debit processing companies; and the French retailer Carrefour.
Separate indictments involving some of the same men, accusing them of computer attacks on Citibank, PNC Bank and the Nasdaq stock exchange, were filed by federal prosecutors in Manhattan.
Computer security experts said the scheme was notable for how long it lasted, how well coordinated it was and how it carefully singled out specific systems in the financial companies’ servers to steal from so many personal credit and debit card accounts.
The attackers had a sophisticated division of labor, according to the indictment. One hosted an anonymous Web server. Others broke into the targeted sites. Still another went inside and fetched the items of interest. The tactic is a signature of Russian organized crime syndicates.
“It is a really potent reminder of what researchers have been saying: The bigger threat is coming from criminal gangs, most of which are coming from Russia,” said Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. “It’s far more immediately impactful than threats coming from China.”
The defendants were identified as Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov and Dmitriy Smilianets of Russia and Mikhail Rytikov of Ukraine. Mr. Smilianets and Mr. Drinkman were arrested in the Netherlands last year. Mr. Smilianets has already been extradited to the United States, where he is expected to make his first court appearance next week. The other three are at large.
The defendants would use so-called SQL injections, which infect a computer system with malicious software that in turn allows the attackers to steal or manipulate the contents of the system. Once they gained access to credit card numbers, some of the men would sell them to resellers.
“They were very patient and relentless,” Mr. Fishman said at a news conference on Thursday.
 |
| United States Attorney Paul J. Fishman, left, on Thursday after announcing the indictments in a hacking and data breach case. |
When the men’s attack on the supermarket chain Hannaford was noticed, a Florida man who worked with the defendants wrote in an instant message to Mr. Kalinin that “Hannaford will spend millions to upgrade their security!! lol,” according to the indictment.
Mr. Kalinin reportedly wrote back, “They would better pay us to not hack them again.”
The defendants were generally able to sell American credit card numbers for $10 and European numbers for $50 because of the poorer security safeguards on American cards, Mr. Fishman said.
Mr. Fishman said Heartland Payment Systems had suffered the biggest losses identified so far, about $200 million. Heartland said in a statement that its breach ended in 2008 and that it would “continue supporting” law enforcement organizations.
In the indictment unsealed in Manhattan, Mr. Kalinin and another Russian, Nikolay Nasenkov, who is also at large, are accused of conducting a scheme to steal bank account information and use it to withdraw millions of dollars from the victims’ bank accounts. From December 2005 through November 2008, the two men hacked into computer systems and stole information from banks including Citibank and PNC Bank, according to the indictment.
The cases are likely to buttress the arguments of those pushing for federal laws to promote greater sharing of information between private companies and law enforcement agencies. Legislation has been proposed — and defeated — largely on the grounds that it would empower federal law enforcement authorities to snoop on private communications.
