Seven people in Romania were charged yesterday in connection to the largest credit card data theft in Australia’s history.
The criminal syndicate in Romania had access to 500,000 Australian credit cards, around 30,000 of which were used to make fraudulent transactions totalling more than $30 million, the Australian Federal Police (AFP), Australian Bankers’ Association (ABA) and Abacus Australian Mutuals said in a joint statement.
According to a news report by Sophos’ security blog, the hackers installed remote desktop software on Point of Sale (PoS) systems belonging to small Australian businesses to record credit card numbers people entered into the terminal.
The stolen credit card data was then being used to create false credit cards, the AFP said, enabling thousands of counterfeit transactions to be carried out in Europe, Hong Kong, Australia and the US.
The joint operation, codenamed “Operation Lino” started in 2011 when an Australian financial institution contacted the AFP to notify them of suspicious credit card transactions.
When the AFP tracked the source of the suspicious transactions, the investigation grew to include international law enforcement partners including the Romanian police, who detained 16 people in Romania and arrested seven.
No Australian credit card holders lost money as a result of the fraudulent transactions due to Australian banks reimbursing cardholders’ losses, the AFP said.
Commander Glen McEwen, AFP manager for cyber crime operations, said it was the largest data breach investigation ever undertaken by Australian law enforcement.
“Without the cooperation of 13 other countries, along with Australia’s banking and finance sector, we would not have been able to track these illegal transactions to the criminal network in Romania,” he said.
“Banks have advanced monitoring systems to prevent fraud and in this case, they contacted customers when suspicious transactions occurred,” said Steven Muchenberg, CEO of the ABA. “Often banks will take immediate action to protect the account, stop transactions and cancel cards when it is confirmed that fraud may have been perpetrated.”