US prosecutors have charged five men with hacking and credit card fraud that cost companies at least $300m.
The men from Russia and Ukraine are believed to have stolen more than 160 million credit and debit card numbers from several major US companies over a period of seven years.
Paul Fishman, US Attorney for the District of New Jersey, said this type of crime was “cutting edge” and described the case as "the largest ever hacking and data scheme breach in the United States”, according to the BBC.
"Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security.”
Prosecutors said the five hid their activities by disabling antivirus software and storing data on multiple hacking platforms.
They sold card numbers to resellers, who then sold them on online forums or to "cashers" who encoded the numbers onto blank plastic cards, according to the Guardian.
Read more about fraud
- Retailers fail to face up to online fraud, survey shows
- Credit card fraud on the rise again
- Eight hackers charged with $45m cyber fraud
- ID theft biggest fraud threat, says Cifas
- Mobile payments a growing fraud concern
- Fraud prevention group urges more data security education
- RSA Silver Tail improves online fraud detection, enterprise security
- Fight fraud, fog and waste when processing business travel expenses
- Insolvency firm Griffins speeds up fraud forensics with IBM analytics
- Bank fraud claims over four million victims in UK
Targeted companies include a Visa licensee, JetBlue Airways, French retailer Carrefour, Nasdaq, Visa, Dow Jones and JC Penney.
Just three of the corporate victims reported $300m in losses, prosecutors say.
Vladimir Drinkman and Dmitriy Smilianets are in US custody, but Aleksander Kalinin, Roman Kotov and Mikhail Rytikov are still at large.
Prosecutors said Drinkman and Kalinin specialised in penetrating network security and hacking into corporate systems. Kotov specialised in identifying data worth stealing.
Ukrainian, Rytikov is believed to have run the anonymous web-hosting services that enabled the others to carry out their activities, while Smilianets sold stolen data and distributed the profits.
A sixth man, Albert Gonzalez, was named as a co-conspirator, but is already serving a 20-year jail term for corporate data hacking.