Oracle confirmed a malware attack on its MICROS point-of-sale business via its customer support portal. Hackers with ties to the Carbanak Gang, a Russian cybercrime syndicate, used malicious code to steal MICROS customer login credentials when customers accessed the support web portal.
While investigators are still assessing the precise origin and extent of the data breach at Oracle, more than 700 internal systems have reportedly been impacted. Though payment data is encrypted in the MICROS hosted environment, that information is not encrypted during payment processing—when customers swipe or insert their cards. Because the main attack vector was the customer portal, and because details are still unclear, the 330,000-plus retail customers using MICROS are left to wonder about their own exposure.
Oracle’s corporate network and other cloud and server offerings were not compromised, according to the company. However, Oracle is still investigating the incident and admits the extent of the damage is still unknown.
According to Verizon’s 2016 Data Breach Investigations Report, point-of-sale (POS) intrusions are behind nearly a third (32 percent) of security incidents and 64 percent of confirmed breaches at retailers. High-profile attacks on retailers such as Target and Home Depot underscore supply chain security risks and the potential for significant financial damage.
Hackers frequently attack third-party vendors, like payment providers, to gain access to the broader POS environment or find a backdoor entrance to a targeted corporate network. The initial attack is simply a jumping off point to get the necessary credentials to launch another attack on the ultimate target. In this instance, investigators believe the breach began with a single system in Oracle’s network, used as a means of accessing the MICROS customer support portal, which holds information from customer support requests. Anyone who has worked with a technical support team knows that passwords, server names and other sensitive information may be included in troubleshooting documentation. This may explain why Oracle is not only forcing password resets, but also recommending that customers change the password for any account used by a MICROS representative to access their on-premises systems. This is a harsh reminder for IT support teams that recycle old passwords or use hard-coded login credentials why security professionals counsel against these practices.
While POS attacks have become increasingly common, the MICROS data breach is unusual in its scope and opportunity for large-scale theft. Oracle is the third-largest provider of POS software worldwide; its MICROS credit card payment systems are used at more than 330,000 terminals worldwide, including more than 200,000 food and beverage stores, and 100,000 retail sites.
If in-store payment terminals are compromised, it may explain the rash of POS attacks on retailers and hotel chains over the last few months. Further investigation will eventually shed light on how deep the data breach runs.
MICROS customers aren’t the only ones who should be concerned; it’s an important reminder for all retailers that the new EMV chip card technology isn’t a panacea. Retailers are particularly vulnerable to third-party intrusions via payment systems and other vendors, even those with seemingly innocuous access to a company’s network. To address third-party cyber risk, the following proactive measures are recommended:
Kruggel Lawton, in partnership with BDO, assists retailers in conducting information security risk assessments, cyber risk management strategy and incident response planning, as well as breach investigations and remediation measures.