4 charged in Zippy’s customer credit card data theft
Credit and debit card information stolen in a 2017 and 2018 Zippy’s data breach was used to make fraudulent purchases in 17 foreign countries and 28 states, including 595 in Hawaii, said Deputy Prosecutor Chris Van Marter.
Mahalo for reading the Honolulu Star-Advertiser!
You're reading a premium story. Read the full story with our Print & Digital Subscription.
Already a subscriber? Log in now to continue reading this story.
Credit and debit card
information stolen in a 2017 and 2018 Zippy’s data breach was used to make fraudulent purchases in
17 foreign countries and
28 states, including 595 in Hawaii, said Deputy Prosecutor Chris Van Marter.
An Oahu grand jury returned an indictment Tuesday charging four people with crimes in connection with fraudulent purchases made in Hawaii using the stolen credit and debit card information of Zippy’s customers.
The indictment charges Sean Vincent Kim, Shamika S. Ramirez, Joselyn A. Llanesa and Lilia V. Fontanilla with unauthorized possession of confidential personal information, theft and identity theft. Kim is additionally charged with conspiracy to commit identity theft, computer fraud, fraudulent encoding of a credit card and possession of unauthorized credit card machinery.
State Circuit Judge Shirley Kawamura set bail for Kim at $50,000. She set bail for the other three defendants Tuesday at $11,000.
Van Marter told Kawamura that a cybercriminal group known to law enforcement as FIN7, Carbanak Group and the Navigator Group hacked into the computer system Zippy’s used to process customer credit card and debit card payments, and stole account numbers, expiration
dates and security codes between Nov. 23, 2017, and March 29, 2018.
A federal grand jury in Washington state returned an indictment in November 2017 charging a suspected FIN7 member, Fedir Oleksiyovych Hladyr, with multiple crimes in connection with a sophisticated malware campaign that targeted the computer systems of businesses in the restaurant, gaming and hospitality industries.
Hladyr was arrested by deputy U.S. marshals in
Seattle in March 2018. He remains in custody pending trial in October.
Van Marter said FIN7 sold the Zippy’s customer credit and debit card information on the dark web where Kim purchased it with bitcoin. He said Kim then used the information to manufacture counterfeit credit cards and made fraudulent transactions with them.
He said Ramirez, Llanesa and Fontanilla also used credit and debit card profiles stolen in the Zippy’s data breach to make fraudulent transactions.
When Honolulu police raided Kim’s Kamehameha Heights apartment in August, Van Marter said they recovered 164 stolen credit card profiles on more than 50 devices, a magnetic strip reader and encoder, and blank cards.
Police also found mail
stolen from post office boxes at the downtown Honolulu post office on
Kim is charged with
12 counts of mail theft and is scheduled to stand trial in September in U.S. District Court.
Van Marter told Kawamura that all four defendants are unemployed but that Kim, 38, used to work as an information technology specialist for a computer networking company.
He said the data breach affected numerous financial institutions here, with one losing $244,000.
Zippy’s in January settled a class-action lawsuit over the data breach.
Affected customers had until last month to submit a claim.