Restaurants, retail, healthcare, education – no industry or company is immune to a potential data breach. It was reported that Harbortouch, a leading national supplier of point-of-sale (POS) systems, was the latest company to fall victim to a data breach. Harbortouch disclosed that a breach involving “a small number” of its restaurant and bar customers were impacted by “malicious software that allowed thieves to siphon customer card data from affected merchants.”
This is certainly not the first time we have heard of vulnerabilities in POS systems and the impact on restaurants and their customers. In June 2014, it was confirmed that restaurant chain P.F. Chang’s was the victim of a data breach. Malware was planted in the software by cyber thieves who then recorded card data as the cards were swiped through the terminals. The breach led to the theft of customer cardholder data at 33 of their locations over a span of 8 months, and that customer data from thousands of credit and debit cards previously used at P.F. Chang’s restaurants went up for sale on an underground store best known for selling data from tens of millions of cards stolen in the Target breach.
The scope of the Harbortouch breach, although being reported as affecting a small percentage of merchants, should have the hairs on the arms of POS companies standing up, as malware is increasingly becoming more advanced and evasive. In Harbortouch’s case, where 4,200 merchants nationwide were affected, the malware was designed to avoid detection by the antivirus program running on the POS system.
The Ponemon Institute lists variable costs for merchants in response to a breach that include forensic examinations, credit and identity monitoring, legal defense and more – all adding up to a cost of $201 per record. To break this cost down in terms of a small merchant, for example, who processes 6 thousand unique transactions per year equates to a risk cost of $1.2 million. For a larger merchant with multiple locations and 2.5 million unique transactions per year? A staggering $502 million in risk cost.
The large merchant breaches reported in the media have brought awareness to the fraud epidemic. What is scary is that this awareness also has created smarter thieves.
Over the past year, the Secret Service has responded to numerous hacks on businesses throughout the United States that have been impacted by “Backoff” malware. “Backoff” malware targets restaurants and businesses that use common remote desktop applications. Hackers use the malware to gain access into a system, stealing proprietary card holder data without being detected by common anti-malware programs.
Brian Krebs recently reported on a new type of malware dubbed as “PoSeidon.” PoSeidon steals card payment data in the POS system, infecting the system to capture credit card information and exporting that data to servers for harvesting and resale. PoSeidon is also known for its resilience, as the malware has the ability to survive in the event of a system reboot.
PoSeidon “has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars, and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.”
We will continue to see new types of malware as thieves adapt and expand their target area. The good news is that there is a solution to protecting credit card data – PCI-Validated Point–to-Point Encryption (P2PE). Bluefin provides a suite of PCI-validated P2PE solutions through our PayConex payment gateway, stand-alone Decryptx product and through our QuickSwipe mobile solution – specifically aimed at the restaurant industry. Bluefin’s PCI-validated P2PE solution suite encrypts all card data within a PCI-approved P2PE device so it is never present in the merchant system in clear-text. Decryption of the data is only done in hardware outside of the merchant’s environment.