4 charged in Zippy’s customer credit card data theft (updated)
Nelson Daranciang reports:
Credit and debit card information stolen in a 2017 and 2018 Zippy’s data breach was used to make fraudulent purchases in 17 foreign countries and 28 states, including 595 in Hawaii, said Deputy Prosecutor Chris Van Marter.
You can read more on Honolulu Star-Advertiser if you have a subscription.
Back in January, Zippy’s settled a class action lawsuit stemming from the breach. At the time, the FBI had attributed the hack to FIN7. So if they have now charged four people, have they actually apprehended anyone from FIN7, or have they charged others who were not part of FIN7 — or were they incorrect in their earlier attribution? I guess we’ll have to wait to find out more as I cannot find any DOJ press release yet and without names, it’s difficult to find filings on PACER.
Update: KHON names those charged:
The Honolulu Prosecutors Office now formally charging four people accused of using the stolen card profiles to make fraudulent purchases. The four charged are Sean Kim, Shamika Ramirez, Joselyn Llanesa and Lilia Fontanilla.
“The hackers then made those available on the internet to people who were willing to purchase them. Sean Vincent Kim was one of the people who used the internet to purchase the fraudulent accounts,” said Van Marter.
So it sounds like they didn’t get the hackers but got some of the people who purchased the hacked data and misused it.