Breach Response , Data Breach , Fraud

Two New POS Breaches Lead to Fraud

Mandarin Oriental, Natural Grocers Confirm Card Theft
Two New POS Breaches Lead to Fraud

Global luxury hotel chain Mandarin Oriental Hotel Group and Natural Grocers, an organic and health food grocery chain with stores in 15 states, are the latest retailers to confirm card compromises connected to breaches of their point-of-sale systems.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

On March 4, both companies posted notices on their websites about confirmed network intrusions.

Tracking Fraud

So far, according to card issuers, more fraudulent card transactions have been tied to purchases at Natural Grocers than have been linked to transactions at Mandarin Oriental hotels.

One executive with a mid-sized issuer on the West Coast, who asked to remain anonymous, says: "I have heard issuers in my network are experiencing fraud activity on accounts believed to be exposed at Natural Grocers in recent days. The Mandarin has not been raised as a concern."

David Pollino, senior vice president and enterprise fraud prevention officer at Bank of the West, a $69 billion institution based in California, says the Mandarin Oriental and Natural Foods breaches, like all other retail breaches, are contributing to increased fraud on payment cards. "We encourage our customers to closely monitor their accounts for any unauthorized activity and immediately notify their financial institution," he says. "Mobile and online banking can be used to monitor accounts and set up alerts to watch for unauthorized activity.

Cross-Border Fraud

The Mandarin Oriental breach puts a new spotlight on cross-border retail attack trends, security experts say.

Cardholders who visited Mandarin Oriental hotels in both the U.S. and Europe were impacted by the breach. One threat researcher, who asked not to be named, says cross-border card compromises are becoming more prevalent as businesses with international presences are increasingly being targeted.

In its statement about the breach, Mandarin Oriental confirms that hotels in numerous markets were affected by the attack, which has been linked to malware.

"Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the U.S. and Europe have been accessed without authorization and in violation of both civil and criminal law," the hotel chain states. "The group has identified and removed malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio."

Cyberthreat intelligence consultancy iSIGHT Partners on March 6 issued a statement about the hotel breach, noting that the compromise of card data was likely limited to magnetic-stripe transactions, not card purchases that were run as EMV chip transactions

"At this juncture, we are unaware of the attack vector or type of malware used," iSIGHT writes. "However, if the attack involved POS malware, the number of affected customers in Europe may be limited to visitors using the hotel's presumed backup magnetic-stripe reader. Given the limited number of hotels allegedly affected and efforts to prevent any further fraud using the stolen card data, we suspect most financial losses associated with the theft have already occurred."

John Buzzard, who heads up FICO's Card Alert Service, also believes that mag-stripe transactions were likely the target, though he notes that European cardholders could have been compromised just as easily as U.S. cardholders, if the hotel was running transactions through the mag-stripe rather than the chip on cards.

"Issuers are experiencing some fraud that they are linking back to customers who patronized a Mandarin location," Buzzard says. "The fraud is a combination of card-present and card-not-present fraud in various locations."

He says compromised card numbers are probably being sold wholesale in underground forums, which is typical after a POS malware attack, and then are being used by fraudsters for an array of fraudulent purchases through multiple channels, including e-commerce.

"Card dumps, however, are not an indicator that victims are all U.S.-based, considering that European cards could have been breached with the same vulnerability as U.S. cards when criminals use cards at merchants that are not yet using chip authentication," Buzzard adds. "Meanwhile, the card-not-present fraud space doesn't discriminate; so the only real strength card issuers have in reducing CNP fraud is a strong behavioral analytics program."

Natural Grocers' Breach Impact

Fraud linked to the Natural Grocers' breach is likely to have more of an impact on U.S. issuers and cardholders than the Mandarin Oriental breach, security experts and card issuers say.

While Natural Grocers has not confirmed how many cards may have been impacted, it does say that it's now installing new point-of-sale systems at all 93 of its locations.

"The company has accelerated the upgrade of the point-of-sale system in all of its store locations to include new PIN pads and a PCI-compliant system that provides point-to-point encryption and 'chip and PIN' card technology," the grocery chain states.

Whether Natural Grocers was PCI compliant at the time of its breach has not been revealed, although the company does note in its statement that it has hired third-party data security experts to help it investigate the breach, which has been "contained."

Natural Grocers did not respond to ISMG's request for additional comment about the breach and its investigation.

The two latest breaches were first reported by security blogger Brian Krebs.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network