Company running background checks on job applicants hacked

Mar 25, 2015 16:41 GMT  ·  By

A Romanian working as a systems administrator at a large financial institution in the country has been extradited to the US to face charges related to cyber-attacks against companies and individuals in the US.

Among the victims are retailers, security companies and medical offices, whose computers were compromised with malware that exfiltrated sensitive information used by the hacker for personal financial gain.

Data exfiltrated to email addresses

29-year-old Mircea-Ilie Ispasoiu from Drobeta-Turnu Severin allegedly carried out the attacks from August 2011 through February 2014, and he is accused of stealing account log-in credentials, personally identifying information (PII) and payment card data.

Once the malware was planted on the targeted computer, it would record keystrokes and capture screens, which would be delivered to an email address Ispasoiu controlled.

The indictment document alleges that the hacker shared the stolen data with other individuals and used it to make unauthorized money transfers from the victims’ bank accounts.

According to information from the Attorney’s Office for the District of New Jersey, the defendant stole more than $10,000 / €9,100 from one of the victims.

Major job applicant investigation company hacked

In the indictment, it is mentioned that one of the compromised computers belonged to a company that ran background checks on applicants for jobs. The information exfiltrated included names, addresses, social security numbers and fingerprints.

The names of the victims are not disclosed, but CICS Employment Services, whose activity involves background checks, including criminal screens, was alerted earlier this year by the FBI of a potential security breach. The company seems to fit the profile.

Ispasoiu was arrested on November 13, 2014, and on January 26, 2015, the Bucharest Court of Appeal granted his extradition. He arrived in New Jersey on March 20, 2015, and three days later appeared in the Newark federal court.

He is charged with two counts of wire fraud, two counts of unauthorized computer access to obtain information, two counts of unauthorized computer access that caused damage, and three counts of aggravated identity theft.

The maximum penalty for the wire fraud charges is 30 years in jail and a $1 million / €911,500 fine, or twice the gain or loss of the offense.