Gizmodo reports that 150 different Subway stores and at least 50 retail shops were affected with the hackers collecting information from more than 80,000 customers. Ars Technica reports that the hackers committed the crime without too much effort, relatively speaking:
"This is the crime of the future," said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, "root them from across the planet, and steal digitally."
The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses' generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.
Ars Technica goes on to report Konrad Fellmann, audit and compliance manager for SecureState, says that in most situations the ability to gain access to credit card information in the way these hackers did wouldn't be possible. Remote access is banned for systems storing credit card information by the PCI Security Standards Council. But for smaller businesses that don't store credit card info, this rule does not apply. Subway should franchises should have abided by the PCI rule but Evan Schuman, editor of retail technology trade site StorefrontBacktalk, said that franchise owners often "directly and blatantly disregarded" the policy, according to Ars Technica.
Some of the data, Ars Technica reports, was used to make fake credit cards. Find more details on how the hackers collected the information here.