Restaurant Association Warns of BreachA Remote Access Breach May Have Compromised POS Software
An undisclosed number of Delaware restaurants may have been affected by a remote-access breach that compromised point-of-sale software, according to the Delaware Restaurant Association.
While details are just unfolding, the association says the possible breach of consumer payment card data appears to be linked to LogMeIn, a remote access and systems management provider that facilitates, among other things, file sharing and data backup.
The association this week notified its 1,900 member restaurants of the potential breach.
"The Delaware Restaurant Association is responding to reports from members that there may have been a breach of consumer credit card information in Delaware," the notification states. "Initial reports and e-mails show that the breach may have been linked to the remote access software LogMeIn, typically used in conjunction with restaurant POS systems.
"We ask that all members revisit PCI compliance standards," the notification continues. "Specifically, we ask that you exercise extreme caution when using remote access and ensure that an individual or company not have access without two-factor authentication. We will continue to report any information that is given to us."
At this point, the restaurant association says it's unclear how many restaurants or cardholders may have been impacted.
LogMeIn won't comment about specific customer activity. But LogMeIn spokesman Craig VerColen says the company investigates all reports of suspicious activity. "In addition, we provide advice on IT security and user password best practices, and how to best utilize the multiple layers of security that are built into LogMeIn products, including two-factor authentication," he says. "It is also important to note that LogMeIn does not store user credentials needed to access our customers' computer systems or data, including, but not limited to, credit card information."
The restaurant association provided Information Security Media Group with a copy of the letter it sent to its members, noting that it had advised them to contact their POS hardware and software providers for additional information.
MICROS Systems Inc., Aloha POS and Digital Dining are the three primary POS hardware and software vendors in Delaware, the association notes. None of these vendors replied to ISMG's request for comment about the potential vulnerability.
Links to Other Breaches?
Data breach experts say the Delaware incidents, if confirmed, could potentially be related to other merchant POS breaches currently under investigation.
"Like one Secret Service agent told me, almost all the payment card attacks are linked in some way, and these are no exceptions," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "It could be the same individual perpetrators, or the same organized crime ring, or the same software/malware components."
Remote-access vulnerabilities have been linked to a number of recently suspected card data compromises, including the June breach of a LogMeIn account used by Vancouver, Wash.-based Information Systems & Supplies Inc.. IS&S is an independent POS systems and security provider that caters to the food service industry (see POS Vendor: Possible Restaurant Breach).
On June 12, IS&S alerted some of its restaurant customers about a remote-access compromise that may have exposed card data linked to POS transactions conducted between Feb. 28 and April 18 of this year.
In 2011, investigators uncovered a remote software weakness that hackers exploited for nearly three years, allowing them to access the POS networks of more than 150 Subway restaurant franchises and other merchants. And in the spring of 2013, federal investigators traced POS malware that targeted a group of Kentucky and Southern Indiana merchants back to a remote-software vulnerability (see Retailers Attacked by POS Malware).
Some industry sources also have suggested that the possible POS breach reported in July by Goodwill Industries International, if confirmed, also could be connected to a remote-access attack (see Analyzing Possible Goodwill Breach)
Gartner's Litan says remote-access vulnerabilities have been largely ignored by many merchants and enterprises, which has left the door open for fraudsters.
"The bad guys have continually used remote access login to perpetrate their crimes and breaches against POS systems, since they gain the privileges and visibility they need with software like LogMeIn," she says. "It's a huge vulnerability that most enterprises don't currently have enough control over, given their relationships with service providers and contractors. They need to tighten up that glaring hole by enforcing strong user authentication into remote-access facilities into their systems and auditing the access that does take place."
But it's not just brick-and-mortar merchants that are at risk, as the just-disclosed breach of an online retailer based in Oregon proves. On July 28, BackCountry Gear notified customers via e-mail of a malware intrusion detected on its server that likely exposed payments data and personally identifiable information dating back to April 27.
The intrusion was detected on July 23, the e-commerce merchant says.
"It appears that the malware caused payment card data to be stolen on orders to our company between April 27 and July 17, 2014," BackCountry Gear says. "The payment card data was comprised of customer names, mailing addresses, purchase information, and credit card or debit card numbers. Since we do not use or collect debit or credit card PINs or bank account numbers in our transactions, none of this data would have been present in a transaction and would not have been affected by the breach. Our site is now secure and measures have been implemented to prevent similar attempts in the future."
While the methods used to compromise e-commerce retailers are different from those used to attack restaurants and other brick-and-mortar merchants, the malicious software behind all of these attacks is fundamentally the same, security experts say. Gaps in compliance with the Payment Card Industry Data Security Standard and other recommended security controls, such as tokenization, often are ultimately to blame for breach exposure, they say.
In late 2013, Troy Leach, chief technology officer of the PCI Security Standards Council, discussed emerging e-commerce risks and the need for layered security.
Troy Leach on emerging risks facing online retailers
Mike Park, a managing consultant at cybersecurity and forensics investigation firm Trustwave, says e-commerce sites are increasingly being targeted by hackers.
In 2010, only 9 percent of the breaches investigated by Trustwave were linked to e-commerce compromises, Park says. In 2013, some 54 percent of the breaches reviewed by Trustwave involved e-commerce sites. "The steady increase demonstrates a shift in how criminals are selecting their targets," Park says.