4 charged in Zippy’s customer credit card data theft

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

Credit and debit card information stolen in a 2017 and 2018 Zippy’s data breach was used to make fraudulent purchases in 17 foreign countries and 28 states, including 595 in Hawaii, said Deputy Prosecutor Chris Van Marter.

An Oahu grand jury returned an indictment Tuesday charging four people with crimes in connection with fraudulent purchases made in Hawaii using the stolen credit and debit card information of Zippy’s customers.

The indictment charges Sean Vincent Kim, Shamika S. Ramirez, Joselyn A. Llanesa and Lilia V. Fontanilla with unauthorized possession of confidential personal information, theft and identity theft. Kim is additionally charged with conspiracy to commit identity theft, computer fraud, fraudulent encoding of a credit card and possession of unauthorized credit card machinery.

State Circuit Judge Shirley Kawamura set bail for Kim at $50,000. She set bail for the other three defendants Tuesday at $11,000.

Van Marter told Kawamura that a cybercriminal group known to law enforcement as FIN7, Carbanak Group and the Navigator Group hacked into the computer system Zippy’s used to process customer credit card and debit card payments, and stole account numbers, expiration dates and security codes between Nov. 23, 2017, and March 29, 2018.

A federal grand jury in Washington state returned an indictment in November 2017 charging a suspected FIN7 member, Fedir Oleksiyovych Hladyr, with multiple crimes in connection with a sophisticated malware campaign that targeted the computer systems of businesses in the restaurant, gaming and hospitality industries.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

Hladyr was arrested by deputy U.S. marshals in Seattle in March 2018. He remains in custody pending trial in October.

Van Marter said FIN7 sold the Zippy’s customer credit and debit card information on the dark web where Kim purchased it with bitcoin. He said Kim then used the information to manufacture counterfeit credit cards and made fraudulent transactions with them.

He said Ramirez, Llanesa and Fontanilla also used credit and debit card profiles stolen in the Zippy’s data breach to make fraudulent transactions.

When Honolulu police raided Kim’s Kamehameha Heights apartment in August, Van Marter said they recovered 164 stolen credit card profiles on more than 50 devices, a magnetic strip reader and encoder, and blank cards.

Police also found mail stolen from post office boxes at the downtown Honolulu post office on Merchant Street.

Kim is charged with 12 counts of mail theft and is scheduled to stand trial in September in U.S. District Court.

Van Marter told Kawamura that all four defendants are unemployed but that Kim, 38, used to work as an information technology specialist for a computer networking company.

He said the data breach affected numerous financial institutions here, with one losing $244,000.

Zippy’s in January settled a class-action lawsuit over the data breach. Affected customers had until last month to submit a claim.