POS Vendor: Possible Restaurant Breach

Remote Access Hack May Have Exposed Card Data

By , July 1, 2014.
POS Vendor: Possible Restaurant Breach
 

A remote-access attack on a point-of-sale vendor may have resulted in the exposure of payment card transactions conducted at a number of restaurants throughout the northwestern United States.

See Also: CEO Bob Carr on EMV & Payments Security

Vancouver, Wash.-based food-service POS and security systems provider Information Systems & Supplies Inc. on June 12 notified restaurant customers of a remote-access compromise that may have exposed card data linked to POS transactions conducted between Feb. 28 and April 18 of this year.

IS&S is an independent reseller of POS products sold by software vendor Future POS Inc. Future POS customers named on IS&S's site include restaurant chains such as Dairy Queen and TacoTime. But IS&S says not all of those brands also are IS&S customers, and not all IS&S customers are at risk of being impacted by the breach.

Information Security Media Group was provided a copy of the letter sent by IS&S president Thomas Potter to restaurants that may have been impacted.

"We recently discovered that our LogMeIn account was breached on February 28, March 5 and April 18, 2014," Potter states in the letter. "We have reason to believe that the data accessed could include credit card information from any cards used by your customers between these dates."

LogMeIn is a remote access and systems management provider that facilitates, among other things, file sharing and data backup. The company is based in Boston.

Potter confirms that his company's remote access credentials were somehow compromised, possibly through a phishing attack. Since learning of the breach, which LogMeIn discovered, IS&S has taken the proactive step to notify its customers of possible card compromises, Potter says.

So far, Potter says none of IS&S's customers have, to his knowledge, suffered any data compromises as a result of the breach. "We tried to get out ahead of this thing and do what was right by our customers," he says.

Potter did not say how many restaurants were notified or how many card transactions may have been impacted.

IS&S also has changed all of its LogMeIn credentials and now requires a secondary unique password for access to the system, Potter says. IS&S is in the process of scanning POS systems for malware and other intrusions at all of its restaurant sites.

Payments fraud expert Tom Wills, director of Ontrack Advisory, says the breach that impacted IS&S could have been perpetrated a number of ways, but most likely resulted from weak authentication.

"It could have been that someone simply got hold of their user credentials for LogMeIn and their account was compromised that way, or it could have been through phishing," Wills says. "If IS&S were just using username and password, then it's easy access."

Wills also says this is not the first time LogMeIn has been the suspected source of a breach. In 2012, LogMeIn customers reported that they believed their credentials had been compromised. LogMeIn did not publicly confirm or deny those allegations.

POS Breaches

The IS&S breach is just one in a series of recent POS-related attacks that have impacted U.S. retailers and restaurants, including Target Corp., Neiman Marcus, Sally Beauty, Michaels and P.F. Chang's China Bistro.

While breach alerts from POS vendors are uncommon, the steps taken by IS&S to inform its merchant customers of concerns for risk is commendable, says financial fraud expert and Aite analyst Shirley Inscoe.

"This is an interesting notification of a fraud breach, unlike any I have seen before," she says. "The company provides three precise dates, which indicates their internal investigation uncovered specific incidents on those dates."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE The Technology of Advanced Threats

Dr. Zulfikar Ramzan is the new CTO at RSA, and he's focused on advanced threats. What are the...

Latest Tweets and Mentions

ARTICLE The Technology of Advanced Threats

Dr. Zulfikar Ramzan is the new CTO at RSA, and he's focused on advanced threats. What are the...

The ISMG Network