KiliKiki +

Four Indicted In $9 Million RBS WorldPay Hack

Four men were indicted on Tuesday for allegedly hacking into Atlanta, Ga.-based payment processor RBS WorldPay and stealing over $9 million from ATMs around the globe.

A federal grand jury returned indictments against Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person identified only as “Hacker 3.”

A year ago, RBS WorldPay, owned by the Royal Bank of Scotland, was hacked in what Acting U.S. Attorney Sally Quillian Yates described as “perhaps the most sophisticated and organized computer fraud attack ever conducted.”

On December 23, 2008, the company announced that on November 10 of that year, it had discovered “its computer system had been improperly accessed by an unauthorized party.”

RBS WorldPay, which processes credit and debit transactions for other financial companies, said that certain personal information for 1.5 million cardholders and other individuals may have been affected and that as many as 1.1 million of these people may have had their social security numbers accessed.

According to the indictment, the alleged fraud arising from the incident involved far less information — 44 payroll debit cards.

The indictment says that Covelin identified the vulnerability in RBS WorldPay’s network that allowed the hackers to get in and that Pleshchuk and Tsurikov “developed a method by which the conspirators reverse engineered Personal Identification Numbers (PINs) from the encrypted data on the RBS WorldPay computer network.”