So far this week (and it is only Monday), we have two POS breaches in the news.
HEI Hotels and Resorts, which manages almost 60 hotels for Starwood, Hilton, Marriott and other chains announced that 20 of their locations, covering all of their brands, had suffered breaches.
While they have not said how many cards may have been compromised, they have said that the data that was compromised included name, account number, expiration date and verification code.
HEI said that they thought that the data was accessed in real time because they do not store the data. They also said that they were unable to contact people who’s cards were likely breached since they do not collect or maintain enough information to do this. This raises some important points.
These statements would seem to indicate that they outsource the processing of payments. If so, that points to the fact that even if you outsource credit card processing, you are still the one who has to face the music in case of a breach.
It also indicates that they are likely not using chip based credit card readers because if they were, the data would not exist in an unencrypted state except inside the card reader itself, which does not appear to be where the breach occurred. One more time where a chip based solution might have stopped a breach in its tracks.
The breach lasted a long time – from March 2015 to June 2016 – about 15 months. It is not clear why the malware was not detected for so long.
In the second breach of the week, Oracle acknowledged a breach affecting their Micros POS software.
Apparently, the breach is large enough that VISA issued an alert to merchants, which they usually don’t do.
Visa said that hackers broke in to hundreds of servers at Oracle and had “completely compromised” Oracle’s support portal.
Micros, according to Oracle, is installed at over 300,000 locations, including 200,000 food and beverage locations, 100,000 retail locations and 30,000 hotels.
With millions of cards used at these locations per week, this could be a major breach.
Oracle is being very tight lipped about this breach – whether that is because they do not understand the scope of the breach and don’t want to make incorrect statements or because Larry Ellison knows he is about to be hit with multiple lawsuits, is unclear.
Oracle told customers to change their passwords and to change any passwords used by Oracle staff to access their systems and not much else. That would suggest that hackers, in hacking the Oracle servers, got credentials that would allow them to access their customers’ systems.
Some of Oracle’s customers are saying that by not sharing information, Oracle is making it harder for them to clean up Oracle’s mess – all fodder for the inevitable lawsuits.
Brian is also saying that it is possible that Oracle was breached by more than one Eastern European (read this as Russian) crime group or at least more than one is dividing the spoils. If in fact, there are 300,000 plus locations hacked and people will eventually change passwords, the hackers have to work fast in order to install other back doors and extract data.
It appears that the customer network and Oracle’s internal network were on the same network segment, but that network was split. Somehow, sources say, that facilitated the breach. They do not say how.
And here is the killer.
In mid July, Oracle told employees in the hospitality division that they had to wipe their computers WITHOUT BACKING ANYTHING UP. The computers were then reimaged with a clean operating system.
This means that employees lost implementation plans and schedules and software that was going to be deployed. The source said that this has cost Oracle billions of dollars – however that seems like a lot of money. Still, I am sure that did cost Oracle a bunch.
Oracle did not tell employees that the reason that they had to wipe their computers was because the company had been breached.
I am sure that more details will emerge, even if Oracle does not want them to.
What this does point out is that companies need to have an active and aggressive vendor risk management program. In both of these cases, the problem stemmed from vendors. The restaurants, bars, hotels and retail stores were counting on their vendors to protect them. While it is possible that there are clauses in the customer’s contracts with Oracle in which Oracle agrees to indemnify and reimburse the stores and restaurants for all costs associated with the breach, but knowing Oracle, it probably says that they aren’t responsible for anything. We shall see how this turns out in court – but that is years from now.
In both of these examples, these businesses are going to have very unhappy customers and not because they did something wrong, but rather because one of their vendors did something wrong.
Vendor risk management programs are effective at reducing risk associated with outsourcing. If you don’t have a program, you should create one now. If you do have one, you should review it for completeness.
Information on the HEI Hotels breach came from CSO Online.
Information on the Oracle breach came from Krebs on Security.