Last week, Forbes.com reported that hackers had infiltrated five cash register providers last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. This announcement follows the news from the previous week that cybercriminals had infected Oracle MICROS legacy systems – popular in the hospitality industry — with malicious code. This raises the level of concern on the breadth of the infiltration and should place hospitality companies on high alert. Your next steps should be to conduct a security scan and close off POS systems by changing access passwords.
The Oracle breach was first reported on July 25 and might have been discovered as early as July 18. In an investigation on the Oracle hack, security expert Brian Krebs on the Krebs on Security blog wrote, “A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp… More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.”
Krebs continues to explain, “Two security experts briefed on the breach investigation and who asked to remain anonymous because they did not have permission from their employer to speak on the record said Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years.”
In breaches similar to this, cyber criminals take advantage of weaknesses in POS vendors’ servers to collect secure usernames and passwords. With this information, the hackers can gain remote access to systems and collect customers’ and guests’ payment information.
Oracle has not described the extent of the breach, but has communicated to its customers that the company has, “implemented additional security measures for the legacy MICROS systems.” From the customer side, the company has required, “MICROS customers to change the passwords for all MICROS on-premises and hosted accounts, including accounts that were used by a MICROS representative to access on-premises systems.” To assist with password update, Oracle has issued technical instructions for a variety of its systems. Find the list here.
On the hotelier side, a group of hotel chief information security officers (CISO) have come together through Hotel Technology Next Generation (HTNG) to share information and discuss response. The group has met numerous times via conference call and plan to continue as the scope of the hack is revealed and dealt with.
In its most recent meeting on August 12, Monika Nerger, Global CIO at Mandarin Oriental Hotel Group and president of HTNG, reported that Mandarin Oriental had conducted a threat scan of the company’s POS systems and did not find evidence or triggers of infiltration with a link to the Carbanak group. In its discussion, the CISO group recommended that companies conduct similar scans in addition to the password changes.
HFTP continues to provide education for hospitality IT professionals in preparation for such security breaches. At the annual HITEC it offers a security boot camp and other concurrent sessions that address the eventuality. The association offers online education via its ProLinks webinars on the same topic.
Oracle has stated that as the investigation into the breach continues, it would communicate directly with its customers.
The HTNG CISO group plans to continue to work closely to share information as it is discovered. HFTP plans to provide updates here in this blog post as it is shared. If you have information to contribute, contact Patrick Dunphy (email@example.com). In the meantime, take the opportunity to change access passwords and conduct a security scan on your POS system.
Eliza Selig is the HFTP director of communication. She has been with HFTP since November 1999. Contact Eliza at firstname.lastname@example.org or +1 (512) 220-4026.