POS Vendor Investigates BreachThe Latest Incident Involving a Third Party Serving Merchants
NEXTEP Systems, a point-of-sale provider that specializes in systems and devices designed for the food service industry, is investigating a security breach that exposed payments data from at least one of its customers - the latest in a series of breaches that have ultimately led back to POS vendors.
Tommy Woycik, president of Troy, Mich.-based NEXTEP, tells Information Security Media Group: "NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised. NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue."
Woycik, however, says it is too early to say whether the breach could be linked to a remote-access vulnerability, such as LogMeIN, which has exposed card data at other POS vendors.
"We do know that this is not affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed," he says. "This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach and are working around the clock to ensure a complete resolution."
On March 9, security blogger Brian Krebs reported that NEXTEP acknowledged it was investigating a possible breach after numerous card issuers traced fraudulent card activity back to Zoup, a Missouri-based restaurant chain that's one of NEXTEP's clients.
On March 9, Zoup CEO Eric Ersher, in a statement posted to Zoup's website, said the breach is believed to date back to Feb. 2 and impacted card transactions conducted as recently as March 5.
"Zoup's third-party, point-of-sale (cash register) system recently experienced a payment card security incident that affected most of our U.S. locations," Ersher says. "We have been informed that card numbers entered manually or online were not affected. The good news is we found the cause of the issue and eliminated it on March 5."
Ersher tells ISMG that Zoup is working to clarify as many details about the breach as possible.
In the corporate statement, Zoup notes that the malware that compromised card data has been removed from its POS system. Ersher confirmed that NEXTEP is Zoup's POS provider.
Tracing multiple merchant compromises back to a single POS vendor poses challenges, one executive with a Midwest card issuer, who asked not to be named, tells ISMG.
Until fraud can be traced to merchants using the same POS systems and devices, it's difficult for issuers to definitely say one specific vendor may be to blame, the executive says.
"Most FIs [financial institutions] don't know what types of POS terminals are deployed at what merchants," the executive says. "Thus, finding a common point can be very frustrating. With EMV deadlines in October, fraudsters are making sure they hit before then."
Marjorie Meadors, who oversees card fraud prevention for Louisville-based Republic Bank & Trust, a community bank with $3.2 billion in assets, noted that POS vendor compromises have been an ongoing problem for merchants.
In October 2013, in response to a 2012 card breach at that exposed Vermont-based grocery chain Natural Provisions, Meadors said POS vendors needed to be held more accountable (see Breaches: Holding Retailers Accountable).
"Some [POS] software companies are not properly educating their merchants about the risk and the need to keep the software updated and patched," Meadors said. "We have been told that often the software companies or their resellers are not sending out patches or updates, even when the merchants have paid for them. It will probably take some merchants bringing lawsuits against their software providers to get any action."
In early 2013, Meadors was closely involved with a card-breach investigation that impacted numerous merchants in Kentucky and Indiana. Ultimately, the breach was traced back to a POS software vulnerability, she said (see Retailers Attacked by POS Malware).
POS Vendor Vulnerabilities
In early June 2014, Vancouver, Wash.-based food-service POS and security systems provider Information Systems & Supplies Inc., an independent reseller of POS products sold by software vendor Future POS Inc., notified restaurant customers of a LogMeIN remote-access compromise that may have exposed card data used to for POS transactions conducted between Feb. 28 and April 18 of last year. Future POS customers include restaurant chains such as Dairy Queen and TacoTime.
Later that month, Information Systems & Supplies president Thomas Potter told ISMG that his company's remote-access credentials were somehow compromised, possibly through a phishing attack. After learning of the breach, which LogMeIn discovered, Potter said Information Systems & Supplies was notifying potentially impacted customers of possible card compromises (see POS Vendor: Possible Restaurant Breach).
Then, in late July, the Delaware Restaurant Association notified its 1,900 members of a similar remote-access breach linked to a compromise of LogMeIn credentials that had likely impacted an undisclosed number of Delaware establishments (see Restaurant Association Warns of Breach).
The restaurant association told ISMG that MICROS Systems Inc., Aloha POS and Digital Dining are the three primary POS hardware and software vendors that provide services and solutions to its membership.
Just a couple of months later, both Goodwill Industries and restaurant chain Jimmy John's reported that card compromises traced back to their establishments also were linked to POS vendor compromises and .
While Goodwill did not publicly name the vendor blamed for the compromise of cards used at 330 of its stores, it did say that all of the affected locations used the same third-party vendor to process card payments.
Jimmy Johns, which reported that 216 of its locations had been affected, did name its vendor, Signature Systems Inc.
Signature Systems also issued a statement about the breach, noting that many of its restaurant clients were impacted, which resulted from a remote-access attack involving compromised credentials.