Dave & Buster's Data Breach Indictment: Apps Crash For The Bad Guys, Too

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster's restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

The problems started when the pair—Maksym Yastrenskiy of Kharkov, Ukraine, who used the name Maksik, and Aleksandr Suvorov of Sillamae, Estonia, who used the name Johnny Hell—installed a packet sniffer on the chain's network to try and capture Track 2 data as it moved from the POS server to the acquiring bank's authentication system.

"The packet sniffer malfunctioned and (the pair) did not capture any Track 2 data," according to the indictment.

But the pair persisted and eventually got the software to work in about 11 restaurants, ultimately grabbing plenty of Track 2 data, such as information about some 5,000 credit and debit cards (with losses of "at least $600,000") from a single restaurant, including a 5-GByte log file that Yastrenskiy bragged about in an intercepted May 30, 2007, text message, according to federal documents.

But the pair's tech difficulties didn't end.

"As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster's) POS servers rebooted in the normal course of the operation of the servers," the indictment said. "Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants Yastrenskiy and Suvorov had to regularly reactivate the packet sniffers." (Wonder if there's any money in launching a Cyberthief Helpdesk?)

Authorities also indicted Albert Gonzalez of Miami—also known as Segvec and SoupNazi—for providing the packet sniffer, and he was charged with wire fraud. All three defendants are reportedly in custody, with Turkish officials having arrested Yastrenskiy in Turkey in July 2007, where a federal statement said he "remains in jail on potential violations of Turkish law. A formal request for extradition of Yastrenskiy to the United States has been made to the Turkish government."

Suvorov was arrested in March 2008 by German officials while he was visiting that country—he's also reportedly still imprisoned in Germany, pending the outcome of a U.S. extradition request. The U.S. Secret Service arrested Gonzalez in Miami in May 2008, which is what allowed the indictments to be unsealed.

Based on what federal authorities said was a forensic examination of the restaurant chain's server logs, the group began its data breach efforts when they tried to crack into a Dave & Buster's POS server at a restaurant in Arundel, Maryland, in April 2007. That's the incident where the software wouldn't capture any data.

But a year ago, on May 18, 2007, the group instead accessed a corporate POS server at Dave & Buster's headquarters in Dallas. "From there, (they) successfully installed the packet sniffer on POS servers at 11 D&B restaurants," according to a May 12 federal arrest warrant affidavit from U.S. Secret Service Agent Matthew Lynch. They tried again on Sept. 22, 2007, but the chain's IT department was able to block the attempt.

"Investigation has revealed that approximately 5,100 MasterCard and Visa cards as well as 32 American Express cards were used" in the penetrated restaurants at the time, the affidavit said, adding that unauthorized purchases were later found to have been made on 675 of the cards.

When the Turkish National Police seized Yastrenskiy's laptop, the affidavit said, it found many ICQ instant messages along with "millions of stolen credit card numbers and a folder that contained a packet sniffer used in the D&B intrusions."

The federal documents also said that this group apparently hit an unidentified "major retailer" back in 2005 and that the sniffer used in the Dave & Buster's breach had been customized for the first retailer and was simply re-used for Dave & Buster's.

The documents quote an analyst with the Computer Emergency Response Team Coordinating Center (CERT-CC) as having analyzed the sniffers found on in both incidents. The unnamed CERT analyst described both sniffers as "efficient, well-designed and [using] some algorithms and data structures that reflect college-level knowledge of computer programming skills, whether acquired through self-study or, as he believed more likely, through formal training."

The unspecified breach of the "major retailer" involved a 44-GByte transfer of credit-card information on Nov. 18-19, 2005. It's not clear from the documents who the major retailer was, but the dates involved could be referring to TJX.