Hackers Going After Point Of Sale Vendors

A new trend is emerging with hackers.  Rather than going after large companies like Target and Home Depot (not that those guys are now safe), hackers are going after the vendors that support small companies.  In this case, eCellar, a vendor that provides point of sale software to many California wineries, has told their customers that they were hacked and that customer credit card transaction data during the month of April was stolen (see article).

Calistoga, Ca based Missing Link, who runs eCellar Systems, notified its high end winery customers that data was compromised.  Data stolen included credit card numbers, billing addresses and date of birth information.  They said it did not include CVV numbers or PINs.

This points to a trend for hackers.  If they were to attack one high end winery, they get those customer’s credit card numbers.  Likely, the credit limits on those cards are higher than, say, customers who shop at Target.  If, instead, they go after the software vendor that runs the web sites for those wineries, they get data from maybe hundreds of wineries.

Sometimes, these attacks are harder for the credit card companies to correlate fraud on because the common element is not a vendor but a behind the scenes vendor.

In this case, Missing Link did not say how they found out about the breach, but they did so pretty quickly.  The breach covered the period April 1 to April 30, 2015 and they began notifying their customers on May 27th.  The wineries still have to notify their customers.  That likely will mean that there is a month or two window for fraud to occur.  Still, this is a lot better than some breaches, where the breach was not detected for a year or more.

As a side note, Visa and Mastercard have informed banks that they are OK if banks name people like Missing Link in the notices that they send out when they replace credit cards.  The banks had said that customers were blaming the bank’s security, when, in fact, it is companies like Missing Link who are at fault.  The banks thought that naming breached entities was a violation of their agreement with Mastercard or Visa.  Whether we start seeing notices like “Due to a breach at Missing Link…” or “Due to crummy security at XYZ …”.  It will be interesting to watch these notices.

Leave a Reply

Your email address will not be published. Required fields are marked *