Hackers stole 20 million credit card records from Chili’s, Chipotle and others, feds say
A hacking group targeted businesses across all 50 states and stole more than 20 million debit and credit card records from customers, federal officials said.
Denys Iarmak, 32, from Ukraine, is the third member in the group’s scheme to face prison time, the United States Attorney’s Office in the Western District of Washington said in an April 7 news release.
Iarmak was sentenced to five years in prison after pleading guilty to conspiracy to commit wire fraud and conspiracy to commit computer hacking, the news release states. He was arrested in 2019 in Thailand.
His sentencing was the lowest of his co-defendants, according to Yelena Sharova, one of Iarmak’s attorneys.
“Mr. Iarmak faced possible life imprisonment based upon the allegations. Over the past 26 months, through purposeful investigation, we were able to (minimize) the actual involvement of Mr. Iarmak in the alleged criminal activity,” Sharova told McClatchy News.
He is accused of being a “high-level hacker” for a hacking group called FIN7, the news release states.
FIN7 members hacked into businesses across all 50 states and the District of Columbia stealing millions of credit and debit card records, the release states. The hacking cost victims more than $1 billion, officials said.
The group targeted hospitality industries, including restaurants and casinos. Chipotle Mexican Grill, Chili’s Grill & Bar, Arby’s, Red Robin and Jason’s Deli were among the businesses breached by the hacking group, prosecutors said.
To obtain the business card records, hackers used phishing tactics to spread malware on a business’s computer to gain access and control their system, according to the indictment.
For example, a hacker would send an email to an employee of a targeted business asking them to click on an attachment that would spread malware on their systems, court documents show.
If they were targeting a restaurant, they might send an email asking to make a catering order or a complaint about service, prosecutors said in court documents.
The targeted businesses listed in the indictment are in western Washington and include Sonic Drive-In, Red Robin, Chipotle Mexican Grill, Jason’s Deli, BECU and Taco John’s. The group also targeted the Emerald Queen Hotel and Casino near Tacoma.
“Protecting businesses — both large and small — online is a top priority for the Department of Justice. We are committed to working with our international partners to hold such cyber criminals accountable, no matter where they live or how anonymous they think they are,” Assistant Attorney General for the Criminal Division Kenneth A. Polite Jr. said in the release.
Fedir Hladyr, an alleged FIN7 member, was sentenced to 10 years in prison on April 16, 2021.
Andrii Kolpakov, also an alleged hacking group member, was sentenced to seven years in custody on June 24, 2021.
This story was originally published April 7, 2022 at 6:08 PM with the headline "Hackers stole 20 million credit card records from Chili’s, Chipotle and others, feds say."
