Category Archives: Oracle

Eddie Bauer Leads The Oracle Micros Breach Story

On Monday I wrote about two new Point of Sale breaches, one at HEI hotels and the other at Oracle.   I said that it was only Monday and we already had two POS breaches.

Well the week is almost over and I am going to bookend the week with another POS breach.  Eddie Bauer stores, the clothing chain, announced on Thursday that the POS system in all of its stores had been compromised.   That represents 350 or more stores.  In their effort to control the spin, Eddie Bauer said that the breach did not affect their web site.

While Eddie Bauer stores, in a press release, said that the security of our customer’s information is a top priority for Eddie Bauer (see press release here),  Brian Krebs reported this week that when he contacted the chain on July 5th, the spokesperson told Brian thanks, but they had not heard of any fraud complaints for their banks.  Unlike the ortho clinic I wrote about two days ago, Eddie Bauer is offering identity theft protection to their customers who were affected.

In today’s world of competition and lawsuits, companies are loathe to provide any information about what happened if there is any way to avoid it.  As a result, other stores and end customers have very little guidance on what happened and what to look for.

Eddie Bauer did say that they thought that the hackers were in their systems from January 2, 2016 to July 17th, 2016.

Curiously – and possibly coincidentally but maybe not – July 2016 is also the date that Eddie Bauer rolled out a chip based point of sale system.   While we cannot say with certainty that if they had the chip based system in place last November when the Visa/Mastercard deadline to deploy chip based point of sale systems came and went that the hackers would not have succeeded, but it may well have blunted the effect of the hack.  The issue there is that not only are retailers way behind in deploying chip based POS systems, but the banks are way behind in mailing out chip cards, but that is a story for another day.

What we can say is that IF they had chip based solutions in place, at least for those customers who had chip cards, their credit card information would not have been visible to the hackers inside the POS system.

Eddie Bauer has not yet said that they are running the Oracle Micros software that I wrote about on Monday as having 300,000+ locations compromised, but if you look at Jeff Piller’s Linkedin profile, you find some relevant details.  Jeff, his profile says, is the Director – Technology & Architecture at Eddie Bauer and has been for the last roughly 4 years.

in his accomplishments, he says that he “implemented Oracle Point of Sale to U.S. and Canadian Stores to replace legacy IBM solution” and that he is “currently implementing EMV [that means chip credit cards – mitch] for ORPOS [or Oracle POS – mitch] and Mobile Point of Sale”.

To me, that is certainly a strong indication that Eddie Bauer is using the Oracle software and got swept up in the Oracle Micros mess.

ANYONE who is running a POS system needs to be reviewing the security of that system with some significant urgency.

Information for this post came from Krebs On Security, Linkedin and an Eddie Bauer press release.



The Point of Sale (POS) Breaches Continue

So far this week (and it is only Monday), we have two POS breaches in the news.

HEI Hotels and Resorts, which manages almost 60 hotels for Starwood, Hilton, Marriott and other chains announced that 20 of their locations, covering all of their brands, had suffered breaches.

While they have not said how many cards may have been compromised, they have said that the data that was compromised included name, account number, expiration date and verification code.

HEI said that they thought that the data was accessed in real time because they do not store the data.  They also said that they were unable to contact people who’s cards were likely breached since they do not collect or maintain enough information to do this.  This raises some important points.

These statements would seem to indicate that they outsource the processing of payments.  If so, that points to the fact that even if you outsource credit card processing, you are still the one who has to face the music in case of a breach.

It also indicates that they are likely not using chip based credit card readers because if they were, the data would not exist in an unencrypted state except inside the card reader itself, which does not appear to be where the breach occurred.  One more time where a chip based solution might have stopped a breach in its tracks.

The breach lasted a long time – from March 2015 to June 2016 – about 15 months.  It is not clear why the malware was not detected for so long.

In the second breach of the week, Oracle acknowledged a breach affecting their Micros POS software.

Apparently, the breach is large enough that VISA issued an alert to merchants, which they usually don’t do.

Visa said that hackers broke in to hundreds of servers at Oracle and had “completely compromised” Oracle’s support portal.

Micros, according to Oracle, is installed at over 300,000 locations, including 200,000 food and beverage locations, 100,000 retail locations and 30,000 hotels.

With millions of cards used at these locations per week, this could be a major breach.

Oracle is being very tight lipped about this breach – whether that is because they do not understand the scope of the breach and don’t want to make incorrect statements or because Larry Ellison knows he is about to be hit with multiple lawsuits, is unclear.

Oracle told customers to change their passwords and to change any passwords used by Oracle staff to access their systems and not much else.  That would suggest that hackers, in hacking the Oracle servers, got credentials that would allow them to access their customers’ systems.

Some of Oracle’s customers are saying that by not sharing information, Oracle is making it harder for them to clean up Oracle’s mess – all fodder for the inevitable lawsuits.

Brian is also saying that it is possible that Oracle was breached by more than one Eastern European (read this as Russian) crime group or at least more than one is dividing the spoils.  If in fact, there are 300,000 plus locations hacked and people will eventually change passwords, the hackers have to work fast in order to install other back doors and extract data.

It appears that the customer network and Oracle’s internal network were on the same network segment, but that network was split.  Somehow, sources say, that facilitated the breach.  They do not say how.

And here is the killer.

In mid July, Oracle told employees in the hospitality division that they had to wipe their computers WITHOUT BACKING ANYTHING UP.  The computers were then reimaged with a clean operating system.

This means that employees lost implementation plans and schedules and software that was going to be deployed.  The source said that this has cost Oracle billions of dollars – however that seems like a lot of money.  Still, I am sure that did cost Oracle a bunch.

Oracle did not tell employees that the reason that they had to wipe their computers was because the company had been breached.

I am sure that more details will emerge, even if Oracle does not want them to.

What this does point out is that companies need to have an active and aggressive vendor risk management program.  In both of these cases, the problem stemmed from vendors.  The restaurants, bars, hotels and retail stores were counting on their vendors to protect them.  While it is possible that there are clauses in the customer’s contracts with Oracle in which Oracle agrees to indemnify and reimburse the stores and restaurants for all costs associated with the breach, but knowing Oracle, it probably says that they aren’t responsible for anything.  We shall see how this turns out in court – but that is years from now.

In both of these examples, these businesses are going to have very unhappy customers and not because they did something wrong, but rather because one of their vendors did something wrong.

Vendor risk management programs are effective at reducing risk associated with outsourcing.  If you don’t have a program, you should create one now.  If you do have one, you should review it for completeness.

Information on the HEI Hotels breach came from CSO Online.

Information on the Oracle breach came from Krebs on Security.

Oracle’s Patch – Where Does A Vendor’s Responsibility End?

According to CNN, Oracle discovered an issue in 2012 that allowed hackers to compromise Oracle systems with this weakness.  Some white hat hackers were wandering around the internet recently (in 2014) and discovered that some systems had not had this patch applied.

These hackers were able to access children’s school records, arrest records, the real names and numbers of intelligence agents, social security numbers and other private stuff.  You get the idea –  stuff that should not be public.

CNN asked Oracle about the issue and they said:

“We identified this issue two years ago. It was not a product coding defect allowing hackers to bypass security mechanisms. Instead, the product included a configuration setting allowing customers to disable security checks. Oracle identified that customers were leaving this setting open and immediately issued a patch that made the default setting for customers secure.

So basically, what Oracle is saying – and in their defense, this is no different from what most software vendors say – is that we issued a patch – for something which is not even a bug in the traditional sense – and it is up to our customers to install these patches.  Our responsibility is over.

Legally, this is probably true – assuming that Oracle, given the typical software license agreement language, had any responsibility in the first place.

Maybe this bug is no worse than the hundred other bugs that Oracle patched last quarter.  Likely it is worse than some and not as bad as others.

However, these customers are storing very sensitive information and it sounds like that at least some of them are government customers.  The article provides some details on the customers and the type of information, but since these systems are not patched, the article is not naming organizations.

There is no easy answer to how to handle this, but it is certainly a topic worthy of public discussion.  Some people would say the existing rules are too stringent; others would say they are too lax.  I would say that the patchwork of state based laws is impossible to manage compliance with.

Lets see what happens.

Mitch Tanenbaum