NEXTEP`s POS systems, as well as self-serve kiosks, are used in restaurants, airports, education environments, grocery stores and healthcare facilities, among other locations. One of its customers is the Missouri-based restaurant chain Zoup, which in March confirmed that it had found and removed malware from its NEXTEP POS systems which resulted in consumers` payment card data being compromised.
Now, up to 70,000 consumers may have also been affected via similar attacks involving Compass Group, which is composed of 18 operating companies that provide food for such organizations and events as IBM, SAP, the District of Columbia Public Schools and the Academy Awards.
`Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software designed to capture payment card information on certain NEXTEP self-serve payment kiosks used at a limited number of our on-site dining locations,` Charlotte N.C.-based Compass Group says in a related customer FAQ. `We believe that the malware could have compromised payment card data (including name, payment card account number, card expiration date, and the CVV security code) of individuals who used a payment card at impacted NEXTEP self-serve payment kiosks in use at certain on-site dining locations, between February 2, 2015, and March 9, 2015.`
Compass Group says it does not know exactly which credit or debit cards were compromised, but notes that fewer than 70,000 payment cards were used on its NEXTEP self-serve payment kiosks during the breach period. `We believe that the number of exposed cards is significantly lower because only a portion of kiosks were infected with malware,` it says.
A spokeswoman for Compass Group didn`t immediately respond to a request for comment about exactly which locations - and in which states - it found malware-infected NEXTEP kiosks. Its notification to California residents notes that three locations in that state were affected.
In a message to customers, Compass Group says it will offer one year of prepaid identity theft monitoring services to any customer who used the exploited kiosks during that time.
The breach warning follows POS systems provider Harbortouch Payments on April 22 confirming to Information Security Media Group that attackers had successfully launched a malware attack that affected `a small percentage` of its merchant customers (see POS Vendor Reports Malware Attack). To date, Harbortouch has offered scant additional information on the breach, but one card issuer tells ISMG that related fraud appears to have occurred from March 10 to April 14, 2015.
Familiar Attack Formula
The NEXTEP and Harbortouch Payments breaches are the latest in a string of attacks that involve POS systems. `This is more of the same - cybercriminals are testing every stakeholder in the payments ecosystem for vulnerabilities, and POS systems are a critical chokepoint for payment data that will continue to be exploited,` Al Pascual, director of fraud and security for Javelin Strategy & Research, tells ISMG.
While findings from digital forensics investigations into the NEXTEP or Harbortouch Payments breaches have yet to be released, Pascual says most such attacks follow a now-familiar formula. `I can`t say specifically how this happened, though poor remote access authentication is the most likely suspect.`
Read original article
No comments:
Post a Comment