Announcing the arrests late yesterday, Manhattan district attorney Cyrus Vance Jr revealed that one of the people arrested is a Russian national who was detained while on holiday in Spain, along with three people in London, two people in the US and one person in Canada.
The seven have been charged with involvement in a cyber-crime ring that allegedly used stolen credit card numbers to purchase thousands of tickets to events from the eBay-owned ticketing service. Charges against the arrestees include money laundering, possession of stolen property and identity theft.
StubHub says that its staff have been working on investigating the fraud for the last year.
According to the KrebsOnSecurity newswire, the Russian arrestee stands accused of being involved in a fraud ring that bought around US$ 10m (£5.9 million) worth of tickets from StubHub - about six times the figure cited by US authorities. In addition, security researcher Brian Krebs says that as many as 20 people around the world are in the process of being investigated.
Robert Capps, an executive with RedSeal Networks - and who was previously the head of Global Trust and Safety for San Francisco-based StubHub – said his old extended team at StubHub uncovered the criminal activity.
Following the detection of payment-related fraud issues and more than 1,000 customer accounts accessed inappropriately, Capps and his team re-architected risk detection systems and anti-fraud programs, and assembled a top-notch investigative team to research and report on cyber-crime activity.
“I am incredibly proud of my former StubHub trust and safety team mates, as they continue to accomplish amazing results in the pursuit of stopping cybercrime. I would also like to congratulate all of the private and public entities that participated in the recent investigation and arrests of cyber-criminals in New York City, Canada, the United Kingdom and Spain" he said.
"A tremendous amount of hard work and dedication from all parties is required to successfully dismantle an International criminal enterprise. The success we witnessed this morning should be used as the gold standard for which future collaboration between private companies and the International law enforcement community are modelled," he added.
Capps went on to say that collaboration on this scale is required to turn the tables on cyber-criminals, and it should not be underestimated as to what was accomplished today. The impact of today's events, he explained, are bigger than any individual arrest.
"The global law enforcement community has sent a strong message to the individuals that commit these crimes - you are no longer safe to travel and operate outside of your home country, without significant risk of arrest and prosecution. Isolation is a powerful force in the effort to change behaviours. Confined within the borders of their home country, I suspect we'll see a change in behaviour of some of these criminals," he said.
Continued success with prosecutions, says Capps, will have a lasting effect on cyber-criminal behaviour, but it is not a silver bullet.
“Cyber-attacks and data breaches are still far too easy for attackers with even a moderate level of skill. We must continue working to make our systems and economy more resilient to attack,” he noted.
Paul Ayers, vice president of EMEA with Vormetric, said that, unlike eBay's recent experience at the hands of cyber-criminals, it appears that this breach was not as a result of the company's servers coming under assault, but that the hackers had used login details and passwords obtained from previous attacks.
“We have long warned that personal data nabbed in one heist can be used to launch other, socially-engineered cyber-attacks; today we finally have confirmation of such an eventuality. Indeed, it is information like emails, addresses and dates of birth that offer essential fodder for hackers to launch more insidious attacks," he said, adding that StubHub's 1,000 customers join those of Adobe, Snapchat, Michaels and Neiman Marcus in an already long list of 2014 data breaches
“[This] news should act as yet another reminder that a different approach to data security is urgently required," he explained.
Ayers went on to say that the only solution is for businesses to ensure they have sophisticated security intelligence solutions in place – capable of providing continuous, real-time monitoring of their IT systems.
"Only by doing so will they be alerted to unusual or anomalous behaviour and access patterns as soon as they happen, which may indicate an external attack or a malicious insider, and respond as necessary. In turn, encryption of all data, regardless of where it resides, is a must – ensuring that no matter whose hands it falls into, it remains illegible and essentially useless," he said.