Something many data breaches that happen at retailers, restaurants and hotels have in common is that hackers accessed their systems and scored customer credit card data by exploiting a third-party connection. For example, the famous Target megabreach was perpetrated through stealing the company’s heating and air conditioning vendor’s credentials. Hackers use these vulnerabilities in third-party systems that connect to a company’s main systems as a virtual back door. Point-of-sale (POS) systems, which are responsible for processing the actual transactions in customer sales, are especially at risk for being targeted by hackers — and right now news of an intrusion into the MICROS POS credit card payment systems operated by software company Oracle has thousands of companies around the world concerned about customer data safety. How many companies are potentially affected, and what does this breach mean for consumers?
More than 330,000 locations worldwide are at risk
Oracle’s MICROS is one of the top three POS vendors in the world, and it is estimated to be used at approximately 330,000+ global locations, including over 200,000 food and beverage outlets, 100,000 retail stores and 30,000 hotels. While the exact size and scope of this breach is still being investigated, according to a FAQ released by Oracle, an organized Russian cybercrime group breached hundreds of its computer systems. After detecting malicious code and addressing it, Oracle has asked all MICROS customers to reset their customer portal passwords. A security alert issued by Visa on Aug. 12 instructed all companies using MICROS POS systems to double check their devices for malware or unusual network activity, as well as change the passwords for any account used by a MICROS representative to access their on-premises systems.
What could this breach mean for consumers?
One major concern, according to analysis on this data breach by cybersecurity expert Brian Krebs, is that hackers could have used the initial intrusion of MICROS POS systems to gain remote access to these systems for further exploitation without detection by Oracle. This would mean many breaches at retailers and merchants around the world could have been going on without being tied back to the single origin point — giving hackers more time to extract customer payment card information and other data. Stolen data like this is often not used right away, and is instead sold on the Internet black market. Oracle has been criticized by many customers and industry experts for its slow response and relative silence, which has left companies vulnerable since they don’t yet know all of the details they need to determine if their systems have been hacked or not. In addition to costing tons of money over the long run, this breach has the potential to be wide-reaching, since hundreds of millions of payment cards are processed through MICROS POS systems, making any data hackers collect highly valuable.
Are recent hotel breaches connected to the MICROS breach?
Hotels in at least 20 locations in 10 states and the District of Columbia reported a payment system hack on Aug. 15, which could potentially be the result of the MICROS breach. Included within the breach were the San Diego Marriott La Jolla and the Westin Pasadena, and both Marriott and Westin are among the hotels that use MICROS to process their payments. It’s entirely possible that a number of hotel breaches in recent months, such as those at Hilton Hotels, can be tied to the MICROS breach — only time will tell, as until Oracle finishes its investigation the full extent of the breach will remain unknown. In the case of these most recent hotel data breaches, all affected locations are operated by HEI Hotels and Resorts, which posted a statement on its website notifying customers and providing contact information for those concerned. If you think you might have been impacted by this breach, it’s important to monitor your payment card statements as well as consider taking actions like freezing your credit reports or investing in an identity theft protection service, which will help you keep tabs on your credit reports as well as alert you if your information appears on the Internet black market or public records.
To learn more about keeping your identity safe in a not-so-secure climate, follow our data breach blog so you’ll be up to speed with the latest news.