Security Experts:

Romanian Sentenced to 21-months for Payment Card Theft

After pleading guilty last September, the US Department of Justice said on Tuesday that Cezar Butu, of Ploiesti, Romania, has been sentenced to 21-months in prison for his admitted role in a Web-based scam targeting payment card data.

Butu accepted a plea agreement last year, which involved him pleading guilty to the charges against him in exchange for the sentence he has received. Butu accepted his agreement on the same day that one of his co-conspirators, Iulian Dolan, of Craiova, Romania, did. Dolan will be sentenced in April.

In 2009, continuing into 2011, Butu and the others he was working with targeted systems in the U.S. in order to steal credit card information. The goal was to use the harvested data to make fraudulent purchases or transfer funds. The group scanned the Web for POS stations with vulnerable or poorly protected remote administration software. When they discovered said systems, they would access them and install information stealing malware.

According to prosecutors, the case involved more than 146,000 compromised cards and more than $10 million in losses. According to Butu’s plea agreement, he attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators for them to make unauthorized purchases and transfer funds. In addition, he admitted to acquiring stolen payment card data belonging to approximately 140 cardholders during the course of the scheme.

As mentioned, the plea agreement included a sentence of 21 months for Butu, and the other who pled guilty with him last September, Dolan, will be sentenced in April. A third co-conspirator, Adrian-Tiberiu Oprea, has a trial scheduled in February.

For anyone keeping score, this case is related to the Subway breach that was reported in 2009.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.