Evan Schuman's StorefrontBacktalk

The latest major retail data breach—involving 150 Subway locations and more than 50 other retailers, payment-card data from more than 80,000 shoppers and more than $3 million in bogus, but completed, transactions—is different than its predecessors for several reasons. Most notably, it appears to be the first major breach that was initially detected by a chain’s own IT team.

An indictment unsealed on December 7 charged a group of four Romanians with attacking the chains, using brute-force attacks to guess passwords. The essence of the attacks’ success, though, was based on two weaknesses: different unsecured remote-access packages used by various franchisees of Subway, which enabled easy Internet access to POS systems; and card swipes with minimal encryption. That meant key-capture software installed by the cyberthieves was able to grab data in the clear, as it was being swiped.

The details of the attack, culled from federal filings and more than a half-dozen sources involved in the probe, outlines a three-year series of assaults beginning in 2008 and not fully halted until May 2011. The accused—Adrian-Tiberiu Oprea, Iulian Dolan, Cezar Iulian Butu and Florin Radu—were described as running a low-tech operation seeking soft targets. And it seems they found such targets in Subway franchise locations. Subway has since revamped its POS security, deploying point-to-point encryption, which required replacing its card swipes with encrypted magstripe readers, among other changes.

The more than 50 other retailers involved were not identified, but one official involved in the probe said they were mostly “smaller mom-and-pop choices” and a small regional chain with 20 to 30 stores and perhaps one slightly larger chain, which had “no more than two stores” attacked.

How the attack was discovered is an interesting side note to the case. Typically, with most of the major retail data breaches that have been prosecuted recently (including TJX, Hannaford, 7-Eleven, Wet Seal, JCPenney, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21 and Dave & Buster’s), it has typically been a card brand detecting fraud and tracing it to a common point of purchase or the Secret Service learning of a breach (perhaps through wiretaps or intercepted messages) while investigating some other breach. The closest to a retailer discovering the breach was Target, which detected the breach after it happened, but that was long after the probe was ongoing with other victims of the same attackers (the Albert Gonzalez gang).

In this case, it seems frauds detected by a card issuer and a breach detected by Subway IT happened almost simultaneously. The issuer detected some frauds in New Hampshire and contacted law enforcement to try and figure out what was happening. That probe had just started when Subway detected its breach and reported it to the government.

Subway’s IT group “found it independently,” said one official involved in the probe.

Oddly enough, a Subway statement said law enforcement had first discovered the breach, a position disputed by multiple sources involved in the probe. “Upon learning about this (federal) investigation, we immediately took steps to improve our point-of-sale systems in the stores to make our customer transactions even more secure,” said the Subway statement. Subway declined to explain the apparent contradiction.

Note: Almost no one involved in the probe from various federal agencies—including the U.S. Justice Department, the U.S. Attorney’s Office in New Hampshire or the U.S. Secret Service’s field office in Boston—or any of the many victims was willing to discuss the case for attribution.

The remote access software was put in place by various franchisees, apparently not following Subway guidelines. “It created an open door. The franchisees did this on their own,” said one official.