Denver POS Service Provider BreachedThird-Party Breach Highlights Risks to Small Merchants
Denver-based managed services provider Service Systems Associates has reported a breach that likely affected about 12 of the payments systems it operates for gifts shops at its clients, which include zoos, museums and parks across the country.
The incident is yet another example of the growing POS risks associated with third-party managed services providers, as highlighted in this week's cybersecurity alert from the Financial Services Information Sharing and Analysis Center and others.
In a July 8 statement posted to its site and Facebook page about the breach, Service Systems Associates says debit and credit purchases made between March 23 and June 25 in gift shops that it manages for several U.S. clients may have been compromised by a point-of-sale malware attack that infected its system.
"As soon as we learned about the attack, SSA began working with law enforcement officials and a third-party forensics investigator, Sikich, to investigate the breach," SSA states. "Though the investigation into this attack continues, the malware that caused the breach was identified and removed. All visitors should feel confident using credit or debit cards anywhere in these facilities. SSA is also taking several steps to improve its security and prevent future attacks."
Impact of Breach Unkown
SSA spokeswoman Kara Hamstra tells Information Security Media Group that the company is not yet revealing the number of cards and locations that may have been affected. Whether some of the locations share one of the dozen payments systems infected with the malware was not noted in SSA's statement, and Hamstra was not able to offer additional details.
SSA's clients, according to its website, include the History Colorado Center, the Detroit Zoo, the Cincinnati Zoo, the Cincinnati Museum Center, the Minnesota Zoo, Oklahoma's Tulsa Zoo, the Denver Zoo, the California's Monterey Bay Aquarium, Kentucky's Louisville Zoo, the Dallas Zoo, Zoo Miami, the Nashville Zoo, the Pittsburgh Zoo, the Honolulu Zoo, New York's Buffalo Zoo and New Mexico's Albuquerque Bio Park.
Several card-issuing institutions contacted by ISMG say they are not aware of any fraud related to cards that may have been compromised in the SSA breach. However, all point out that tracing fraud back to a third party that provides outsourced or managed payment services is difficult.
"The POS software vendor is not visible to the issuer, so it is difficult to recognize the commonality of the point of purchase," says one executive with a leading issuer on the West Coast, who asked not to be named.
Risks to Smaller Merchants
Charles Bretz, director of payment risk at the FS-ISAC, notes that smaller merchants are at greatest risk of breaches involving managed services providers because they commonly use these vendors for payments processing and POS management.
"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz explains in a recent interview with ISMG. "Merchants in industry verticals use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."