Three new breaches have been reported in the past week showing that payment card data theft is still an ever-present threat.
Mandarin Hotel Group have confirmed that its hotels have been subject to a payment card breach. The breach has been perpetrated using card-data stealing malware on POS systems used at hotels in both Europe and the US and is likely to have been in operation since December 2014. Krebs On Security has been investigating the breach and published details last week.
The breach has parallels to the Marriot hotels breach reported in January but there is no indication whether the same gang is behind both breaches. Backoff malware was also rampant during 2014 and was responsible for card data breaches at Dairy Queen among many others.
BulkReefSupply.com has issued an apology in a statement regarding a ‘criminal attack’ on its website. The breach was effective throughout August 2014 until January 21 2015 and data stolen includes name, address, telephone number, email address/user name, password and credit card information of some customers. BRS provide saltwater aquarium supplies and with revenues of $16.1M reported for 2013, the impact of the customer data theft could be substantial. No further information has been provided about the nature of the breach but the most likely explanation is that malware was introduced to the eCommerce website to allow customer data to be stolen in a similar way to the Big Fish Games website breach reported last month.
NEXTEP Systems provide POS systems to restaurants, corporate cafeterias, casinos, airports and other food service venues. One of their customers – Zoup, with 75 restaurants – was recently identified as being the likely origin of a sequence of fraudulent card transactions.
Further information has now emerged that the breach may in fact be centered on NEXTEP Systems: NEXTEP Systems runs the POS systems on behalf of Zoup and other customers who may also have been compromised. KrebsOnSecurity.com reports that this is not a unique scenario with at least two other POS Vendors – Signature Systems and Advanced Restaurant Management Applications - responsible for breaches affecting hundreds of independent restaurants.
The root-cause for the Target Breach in 2013 was a compromised 3rd Party with access to Target Store systems but whether this was the attack vector used or not the conclusion still is that breach detection is a critical security best practice.
Learn about PCI DSS Compliance
Read the full report on the Mandarin Hotel Group breach here
Read the full report on the BulkReefSupply.com breach here
Read the full report on the NEXTEP Systems POS breach here