Security Alert: POS Systems Infiltrated by Russian Cybercrime Group; Recommendations for MICROS Legacy System Users


Last week, reported that hackers had infiltrated five cash register providers last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. This announcement follows the news from the previous week that cybercriminals had infected Oracle MICROS legacy systems – popular in the hospitality industry — with malicious code. This raises the level of concern on the breadth of the infiltration and should place hospitality companies on high alert. Your next steps should be to conduct a security scan and close off POS systems by changing access passwords.

The Oracle breach was first reported on July 25 and might have been discovered as early as July 18. In an investigation on the Oracle hack, security expert Brian Krebs on the Krebs on Security blog wrote, “A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp… More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.”

Krebs continues to explain, “Two security experts briefed on the breach investigation and who asked to remain anonymous because they did not have permission from their employer to speak on the record said Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years.”

In breaches similar to this, cyber criminals take advantage of weaknesses in POS vendors’ servers to collect secure usernames and passwords. With this information, the hackers can gain remote access to systems and collect customers’ and guests’ payment information.

Swiping a credit card through a POS terminal

Oracle has not described the extent of the breach, but has communicated to its customers that the company has, “implemented additional security measures for the legacy MICROS systems.” From the customer side, the company has required, “MICROS customers to change the passwords for all MICROS on-premises and hosted accounts, including accounts that were used by a MICROS representative to access on-premises systems.” To assist with password update, Oracle has issued technical instructions for a variety of its systems. Find the list here.

On the hotelier side, a group of hotel chief information security officers (CISO) have come together through Hotel Technology Next Generation (HTNG) to share information and discuss response. The group has met numerous times via conference call and plan to continue as the scope of the hack is revealed and dealt with.

In its most recent meeting on August 12, Monika Nerger, Global CIO at Mandarin Oriental Hotel Group and president of HTNG, reported that Mandarin Oriental had conducted a threat scan of the company’s POS systems and did not find evidence or triggers of infiltration with a link to the Carbanak group. In its discussion, the CISO group recommended that companies conduct similar scans in addition to the password changes.

HFTP continues to provide education for hospitality IT professionals in preparation for such security breaches. At the annual HITEC it offers a security boot camp and other concurrent sessions that address the eventuality. The association offers online education via its ProLinks webinars on the same topic.

Oracle has stated that as the investigation into the breach continues, it would communicate directly with its customers.

The HTNG CISO group plans to continue to work closely to share information as it is discovered. HFTP plans to provide updates here in this blog post as it is shared. If you have information to contribute, contact Patrick Dunphy ( In the meantime, take the opportunity to change access passwords and conduct a security scan on your POS system.

Eliza Selig

Eliza Selig is the HFTP director of communication. She has been with HFTP since November 1999. Contact Eliza at or +1 (512) 220-4026.

You May Also Like

About the Author: Eliza Selig

1 Comment

  1. Eliza great synopsis of this big breach of Micros Support Systems. In would urge each person to share their experiences and what steps each took to find any malware and which system you have and how it was fixed so that other hoteliers who are our colleagues can get a better idea or get some feedback from all. You do not have to identify yourself or your property.

    I will start first I called the company that supports our POS systems and asked them to run an external scan on the IP they use to access your system to support it and also have them change all their passwords. As an extra precaution we had all our hotel staff members change their passwords. In short each user who uses the POS system must change their passwords immediately. Let us work as a team to help each other. Best wishes

Comments are closed.