Cleveland Federal Reserve Hacked

Malaysian Caught with 400K Stolen Cards

Lin Mun Poo, a Malaysian national, faces a four-count indictment that charges him with hacking into computer systems and the possession of more than 400,000 stolen credit and debit card numbers.

"Cybercriminals continue to use their sophistication and skill as hackers to attack our financial and national security sectors," says Loretta Lynch, United States Attorney for the Eastern District of New York. Poo's arrest comes just a month after authorities arrested a big cyber crime gang in the U.S. and Europe for similar crimes.

When he arrived in New York on Oct. 21, he was arrested hours later by Secret Service agents. Poo, who is being held in pre-trial detention, "made a career of compromising computer servers belonging to financial institutions, defense contractors and major corporations, among others, and selling or trading the information," says Lynch.

'Massive Quantity' of Stolen Data

The list of victims includes FedComp, a data processor for federal credit unions. With access to FedComp's computers, Poo had unauthorized access to the data of federal credit unions, including the Firemen's Association of the State of New York and the Mercer County New Jersey Teachers. Poo also is charged with breaking into computer servers of a number of major financial institutions and companies, including a computer network of the Federal Reserve Bank of Cleveland, Ohio, by exploiting a security vulnerability. The bank states Poo only broke into a test computer system and didn't access any sensitive information.

Security expert Avivah Litan, an analyst at Gartner, says while it isn't clear how Poo got in to the Federal Reserve's system, this hack "highlights the need for PCI enforcement at banks, including government banks -- not just at merchants and payment processors." She points out banks have always "wiggled out" of formal PCI data security enforcement and audits. "Merchants have been complaining about this lopsided effort for years," Litan says.

Defense Contractor Hacked

Poo faces a maximum of 10 years if convicted on all charges.