Verifone, the largest manufacturer of credit card terminals in the U.S., is reportedly investigating a breach of its internal networks. Krebs On Security once again broke the news about a giant data breach. The breach “appears to have impacted a number of companies running its point-of-sales solutions,” as reported by Krebs.
Not familiar with Verifone?
“Chances are you’ve used a Verifone device or point-of-sale system at your local petroleum station, grocer or favorite restaurant,” according to Verifone’s marketing materials.
Back in January, the company’s senior vice president and chief information officer sent an email to staff members and contractors. Krebs obtained a copy of the email, which he includes with the post. In short, the “urgent” memo tells everyone they have 24 hours to change all company passwords. It also warns that users will no longer be allowed to load additional software onto their devices, that instead they must contact the IT service desk to do so.
When Krebs asked the company about a possible breach, a spokesman named Andy Payment confirmed “the company saw evidence in January 2017 of an intrusion in a ‘limited portion’ of its internal network, but that the breach never impacted its payment services network.”
“Our payment services network was not impacted,” Payment said. “We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.”
The spokesman refused to answer additional questions about the breach, like how they found out about it and if it was initially from a third party. A source informed Krebs that Visa and Mastercard notified Verifone of the issue, which is what prompted the “Change Your Password” email. While Krebs contacted both Visa and Mastercard to confirm this, they didn’t comment.
This is where the story gets interesting. The source told Krebs the intrusion impacted a customer support unit in Clearwater, Florida that “provides comprehensive payment solutions specifically to gas and petrol stations throughout the United States — including, pay-at-the-pump credit card processing; physical cash registers inside the fuel station store; customer loyalty programs; and remote technical support.”
According to the Krebs story: “The source said his employer shared with the card brands evidence that a Russian hacking group known for targeting payment providers and hospitality firms had compromised at least a portion of Verifone’s internal network.”
Verifone circled back with Krebs after the post went live with an update that “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”
A story about the breach posted on The Register, a UK blog focused on the IT industry, interviewed Brian Vecci, a “technical evangelist” at Varonis, who provided perspective:
“Unlike Target, where a contractor’s credentials were used to compromise POS system, in this case the POS provider itself was compromised. With the prevalence of SaaS providers of all types replacing many in-house systems, organisations have to be more vigilant about what data they provide to their partners and how that data is secured.”
Is your business covered for a data breach?
Image: Pexels