Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle’s Micros retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices.
Visa also published a list of internet addresses that may have been involved in a recent Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang, reports security blog KrebsonSecurity.
HEI Hotels announced earlier this month that intruders had broken into its payment network and installed payment-card stealing malware on POS systems at 20 of its properties. HEI brands that were hit by the breach included Marriott, Sheraton, Hyatt, and Westin. Credit and debit card numbers, card expiration dates, and verification codes of an undisclosed number of people who used their cards at these locations were compromised in the breach.
Publicly at least, there has been no confirmation if the breach at HEI is tied to the intrusion at Micros or any of the other vendors, reports Dark Reading, but the proximity of the multiple breach announcements has led to some speculation that there might be a link.
HEI’s breach announcement came just days after Oracle acknowledged that intruders had broken into a website used by its Micros point-of-sale systems subsidiary to support customers. Oracle said the attackers had placed malware on the site that allowed them to intercept the usernames and passwords used by Micros’ customers, which include many hotels and retails sites, to log into the support site.
The breach prompted some concern that the attackers may have used those credentials to then somehow gain access to the networks of Micros’ customers and place malware on their POS networks. The concerns were heightened by subsequent news that the same group that broke into the Micros network may have also managed to infiltrate the networks of five other, mostly small, POS system vendors.
The Visa alert is the first substantive document that tries to help explain what malware and which malefactors might have hit Oracle. Sources close to the investigation saying hackers had broken into hundreds of servers at Oracle’s retail division, and had completely compromised Oracle’s main online support portal for Micros customers.
Micros is among the top three point-of-sale vendors globally, KrebsonSecurity reports. When Oracle bought Micros in 2014, the company said Micros’ systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
Oracle also urged Micros customers to change their passwords, and said “we also recommend that you change the password for any account that was used by a Micros representative to access your on-premises systems.”
In addition to Visa’s recommendation, Card Systems also recommended the following:
- Conduct another PCI scan to identify any security vulnerabilities (even though you may have recently conducted a PCI scan and passed, internal changes to your network and/or firewalls could have affected security protocols).
- Have your IT Department or IT vendor familiarize themselves with the information being disseminated by KrebsonSecurity and Oracle to better understand the nature of the attacks, and apply that knowledge to your circumstance.
- Review your current breach protocols to ensure they are up to date. (If your company doesn’t have a protocol, it is imperative to have one. It is a PCI requirement.)
- Consider obtaining “breach” insurance. Most breach insurance can offset the devastating financial damage.
- Consider installing a device that takes the card number out of the Micros environment so that even if a hacker stole the card number, it is a useless four-digit number.