Dave & Buster’s Data Breach Indictment: Apps Crash For The Bad Guys, Too

Written by Evan Schuman
May 16th, 2008

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

The problems started when the pair—Maksym Yastrenskiy of Kharkov, Ukraine, who used the name Maksik, and Aleksandr Suvorov of Sillamae, Estonia, who used the name Johnny Hell—installed a packet sniffer on the chain’s network to try and capture Track 2 data as it moved from the POS server to the acquiring bank’s authentication system.

"The packet sniffer malfunctioned and (the pair) did not capture any Track 2 data," according to the indictment.

But the pair persisted and eventually got the software to work in about 11 restaurants, ultimately grabbing plenty of Track 2 data, such as information about some 5,000 credit and debit cards (with losses of "at least $600,000") from a single restaurant, including a 5-GByte log file that Yastrenskiy bragged about in an intercepted May 30, 2007, text message, according to federal documents.

But the pair’s tech difficulties didn’t end.

"As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers," the indictment said. "Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants Yastrenskiy and Suvorov had to regularly reactivate the packet sniffers." (Wonder if there’s any money in launching a Cyberthief Helpdesk?)

Authorities also indicted Albert Gonzalez of Miami—also known as Segvec and SoupNazi—for providing the packet sniffer, and he was charged with wire fraud. All three defendants are reportedly in custody, with Turkish officials having arrested Yastrenskiy in Turkey in July 2007, where a federal statement said he "remains in jail on potential violations of Turkish law. A formal request for extradition of Yastrenskiy to the United States has been made to the Turkish government."

Suvorov was arrested in March 2008 by German officials while he was visiting that country—he’s also reportedly still imprisoned in Germany, pending the outcome of a U.S. extradition request. The U.S. Secret Service arrested Gonzalez in Miami in May 2008, which is what allowed the indictments to be unsealed.

Based on what federal authorities said was a forensic examination of the restaurant chain’s server logs, the group began its data breach efforts when they tried to crack into a Dave & Buster’s POS server at a restaurant in Arundel, Maryland, in April 2007. That’s the incident where the software wouldn’t capture any data.

But a year ago, on May 18, 2007, the group instead accessed a corporate POS server at Dave & Buster’s headquarters in Dallas. "From there, (they) successfully installed the packet sniffer on POS servers at 11 D&B restaurants," according to a May 12 federal arrest warrant affidavit from U.S. Secret Service Agent Matthew Lynch. They tried again on Sept. 22, 2007, but the chain’s IT department was able to block the attempt.

"Investigation has revealed that approximately 5,100 MasterCard and Visa cards as well as 32 American Express cards were used" in the penetrated restaurants at the time, the affidavit said, adding that unauthorized purchases were later found to have been made on 675 of the cards.

When the Turkish National Police seized Yastrenskiy’s laptop, the affidavit said, it found many ICQ instant messages along with "millions of stolen credit card numbers and a folder that contained a packet sniffer used in the D&B intrusions."

The federal documents also said that this group apparently hit an unidentified "major retailer" back in 2005 and that the sniffer used in the Dave & Buster’s breach had been customized for the first retailer and was simply re-used for Dave & Buster’s.

The documents quote an analyst with the Computer Emergency Response Team Coordinating Center (CERT-CC) as having analyzed the sniffers found on in both incidents. The unnamed CERT analyst described both sniffers as "efficient, well-designed and [using] some algorithms and data structures that reflect college-level knowledge of computer programming skills, whether acquired through self-study or, as he believed more likely, through formal training."

The unspecified breach of the "major retailer" involved a 44-GByte transfer of credit-card information on Nov. 18-19, 2005. It’s not clear from the documents who the major retailer was, but the dates involved could be referring to TJX.


3 Comments | Read Dave & Buster’s Data Breach Indictment: Apps Crash For The Bad Guys, Too

  1. Biff Matthews Says:

    Finally! As Paul Harvey said, now for the rest of the story, which is yet to unfold, taking years, is what happens to these cyber criminals. Swift and meaningful punishment is necessary to send a message to those considering a life of cyber crime.

  2. Evan Schuman Says:

    Editor’s Note: That’s a nice sentiment, but I cynically doubt it would do any good. It’s like increasing the penalties for illegal narcotic distribution. There is SO much money to be made with these schemes–and the chances of being caught are so slight–that these punishments won’t do much good.
    The deterrence of any punishment only exists if the one you’re trying to deter has any reasonable belief they’ll get caught and convicted.
    These cyber thieves are generally confident, cocky and quite careful. Reality aside, they are likely to BELIEVE they’ll never get caught. Therefore, no punishment will likely any impact.
    I hope I’m wrong, though.

  3. Reality Says:

    Most people think that I’m strange, but as an InfoSec Professional, I have done away with my Credit Cards, and have gone back to a completely cash life. Purchasing goods online, or using a card in store clearly isn’t safe, and the retailers, credit card companies, and the banks really don’t care.

    I get to see the PCI scans, and the amount of money that the PCI efforts cost companies, yet, we still have issues with simple security.

    Organizations don’t really want to apply the correct methods of securing their systems, because they don’t have the talent, or the time to put the proper tracking, access controls, and testing into practice. Of course, if they did, they wouldn’t be making that extra $00.03 per transaction, costing them millions in the long run.

    It’s cheaper to pay the fines, let the current practices “protect” them, making everyone feel safe.

    It is a case where “Ignorance is Bliss!” is truly the status quo.

    “In God we Trust, all others pay cash.” It’s one way to prevent credit card theft, identity theft, and loss of our hard earned money.

    Try it, it’s freedom.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.