Breach Notification , Card Not Present Fraud , Incident & Breach Response
POS Vendor Reports Malware Attack
Harbortouch Provides Few Details on Breach Affecting MerchantsPoint-of-sale systems provider Harbortouch Payments has confirmed that it recently identified and contained a malware-related breach that affected "a small percentage" of the merchants that it serves.
See Also: Effective Communication Is Key to Successful Cybersecurity
"The incident involved the installation of malware on certain point-of-sale systems," the Allentown, Pa.-based company said in a statement provided to Information Security Media Group. "The advanced malware was designed to avoid detection by the anti-virus program running on the POS system. Within hours of detecting the incident, Harbortouch identified and removed the malware from affected systems."
Harbortouch says it has hired the forensics investigation firm Mandiant to assist in its ongoing investigation. It did not reveal how much payment card information may have been exposed in the malware attack.
The company says the incident did not affect its own network, and claims it was not the result of any vulnerability in its POS software. "Harbortouch does not directly process or store cardholder data," it says.
"It's important to note that only a small percentage of our merchants were affected and over a relatively short period of time," the company states. "We are working with the appropriate parties to notify the card-issuing banks that were potentially impacted. Those banks can then conduct heightened monitoring of transactions to detect and prevent unauthorized charges. We are also coordinating our efforts with law enforcement to assist them in their investigation."
Harbortouch declined to provide further details.
A source at one card issuer, who asked to remain anonymous, tells ISMG that MasterCard and VISA sent fraud alerts to issuers this week "that were pretty sizable," but the alerts did not disclose the party involved. The date range was March 10 to April 14, 2015, according to the source.
POS malware attacks have stolen card data from retailers large and small, ranging from Target, Michaels and Staples to smaller mom-and-pop shops.
Security researchers at Cisco recently issued a warning about a new breed of point-of-sale malware dubbed Poseidon after the Greek god. They say it's the latest attack code designed to steal credit card numbers immediately after payment cards get swiped through POS terminals (see: Why POS Malware Still Works).