A remote-access attack on a point-of-sale vendor may have resulted in the exposure of payment card transactions conducted at a number of restaurants throughout the northwestern United States.
Vancouver, Wash.-based food-service POS and security systems provider Information Systems & Supplies Inc. on June 12 notified restaurant customers of a remote-access compromise that may have exposed card data linked to POS transactions conducted between Feb. 28 and April 18 of this year.
IS&S is an independent reseller of POS products sold by software vendor Future POS Inc. Future POS customers named on IS&S's site include restaurant chains such as Dairy Queen and TacoTime. But IS&S says not all of those brands also are IS&S customers, and not all IS&S customers are at risk of being impacted by the breach.
Information Security Media Group was provided a copy of the letter sent by IS&S president Thomas Potter to restaurants that may have been impacted.
"We recently discovered that our LogMeIn account was breached on February 28, March 5 and April 18, 2014," Potter states in the letter. "We have reason to believe that the data accessed could include credit card information from any cards used by your customers between these dates."
LogMeIn is a remote access and systems management provider that facilitates, among other things, file sharing and data backup. The company is based in Boston.
Potter confirms that his company's remote access credentials were somehow compromised, possibly through a phishing attack. Since learning of the breach, which LogMeIn discovered, IS&S has taken the proactive step to notify its customers of possible card compromises, Potter says.
So far, Potter says none of IS&S's customers have, to his knowledge, suffered any data compromises as a result of the breach. "We tried to get out ahead of this thing and do what was right by our customers," he says.
Potter did not say how many restaurants were notified or how many card transactions may have been impacted.
IS&S also has changed all of its LogMeIn credentials and now requires a secondary unique password for access to the system, Potter says. IS&S is in the process of scanning POS systems for malware and other intrusions at all of its restaurant sites.
Payments fraud expert Tom Wills, director of Ontrack Advisory, says the breach that impacted IS&S could have been perpetrated a number of ways, but most likely resulted from weak authentication.
"It could have been that someone simply got hold of their user credentials for LogMeIn and their account was compromised that way, or it could have been through phishing," Wills says. "If IS&S were just using username and password, then it's easy access."
Wills also says this is not the first time LogMeIn has been the suspected source of a breach. In 2012, LogMeIn customers reported that they believed their credentials had been compromised. LogMeIn did not publicly confirm or deny those allegations.
The IS&S breach is just one in a series of recent POS-related attacks that have impacted U.S. retailers and restaurants, including Target Corp., Neiman Marcus, Sally Beauty, Michaels and P.F. Chang's China Bistro.
While breach alerts from POS vendors are uncommon, the steps taken by IS&S to inform its merchant customers of concerns for risk is commendable, says financial fraud expert and Aite analyst Shirley Inscoe.
"This is an interesting notification of a fraud breach, unlike any I have seen before," she says. "The company provides three precise dates, which indicates their internal investigation uncovered specific incidents on those dates."
Criminals often sell or store compromised card data, which can be used long after the breach incident; so it may be difficult to tie fraud back to this specific breach, Inscoe says. "However, it will be incumbent upon their clients to notify their customers who used their cards during this time, and that may help."
Still, timely notification is little consolation to the merchants and card issuers that are adversely affected by third-party security incidents such as this one, says one bank executive who asked not to be named.
"The third-party risk is a huge factor in today's business," the executive says. "As merchants and financial institutions outsource certain types of offerings, there will be a risk factor. Fraudsters will always find the weakest link in the chain. Some smaller merchants that have a staff of 20 or less do not have a full-time IT person."
Remote Access Vulnerabilities
Targeting peripheral third parties and systems is working for hackers, says Al Pascual, a financial fraud and banking security analyst for consultancy Javelin Strategy & Research. "This business [IS&S] is a degree removed from retailers, making it an important example of how criminals are looking everywhere in the payments infrastructure for opportunities and vulnerabilities," he says.
One threat intelligence researcher with a leading cyber-intelligence firm says the IS&S breach is yet another classic example of how hackers are pursuing lateral attacks with compromised credentials. "Brute force a few passwords and the criminal is in," says the researcher, who asked to remain anonymous. "This, as you know, is the Target compromise, in a nutshell."
Another bank executive, who also asked not to be named, says remote software and POS management is to blame for many merchant compromises. "I think we will start to see a lot more attention paid to these types of vendors, as the fraudsters continue to probe for vulnerabilities," the executive says.
Security risks associated with remote access have been blamed for breaches at other restaurants chains and retailers in the past. In 2011, investigators uncovered a remote software weakness that hackers exploited for nearly three years, allowing them access to the POS networks of more than 150 Subway restaurant franchises and other merchants. And in the spring of 2013, federal investigators traced POS malware that targeted a select group of Kentucky and Southern Indiana merchants (see Retailers Attacked by POS Malware).
Commenting on this latest incident, Avivah Litan, a distinguished analyst and vice president at Gartner, says IS&S's notification reflects a positive step for breach response. "This vendor had a breach of their own systems, which have to be PCI compliant," she says. "And, also, they probably had to comply with state disclosure laws because of the data they were processing. ... It still is unusual, because you don't see most payment application vendors and service providers coming clean in this manner when there is a breach. In any event, they should be commended for the transparency and full disclosure, even if it is the right thing to do.