The hackers were arrested in various locations, including Turkey and Germany. The hackers sold the stolen data to others who used it to make fraudulent purchases or resold it to make such purchases.
In announcing the arrests, U.S. Attorney Benton J. Campbell said, “Hackers who reach into our country from abroad will find no refuge from the reach of U.S. criminal justice.”
According to the U.S. Department of Justice, the people arrested gained unauthorized access to cash register terminals, though details on how were not specified. They allegedly installed “packet sniffer" programs at each restaurant to capture communications on the Dave & Buster's link. The packet sniffer was configured to capture "track two" data as it moved from each restaurant's point-of-sale server to computer systems at the company's corporate headquarters.
Track two data includes a customer's account number and expiration date, but not cardholder names or other personally identifiable information.
Also involved in the investigation was the U.S. Secret Service.
“This investigation and the resulting indictments should serve as a warning to cybercriminals that law enforcement will continue to pursue them wherever they are,” U.S. Secret Service Director Mark Sullivan said.