[BreachExchange] Point-of-sale data breaches have now reached the cloud

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 2 15:31:07 EDT 2016


http://www.itnews.com/article/3116088/point-of-sale-data-
breaches-have-now-reached-the-cloud.html

The latest in a string of hacks against retail point-of-sale systems has
hit the operator of a cloud-based service with about 38,000 business
clients.

Montreal-based Lightspeed reported the breach on Thursday and said it
affected a system that retailers can use from tablets, smartphones and
other devices.

The incident occurs as a growing number of retailers and hotels have been
targeted by hackers, who typically install malware into the point-of-sale
systems to steal credit card numbers.

The breach at Lightspeed targeted a central database that stores client
information, the company said. The incident exposed data related to sales,
products, and encrypted passwords that clients use to get on Lightspeed's
system.

In some cases, consumers’ electronic signatures that have gone through the
point-of-sale software were also accessed. However, Lightspeed has found no
signs that any data was stolen or used.

“It’s worth noting that Lightspeed does not store credit card information,
and therefore no cardholder data was compromised in this incident,” said
Bradley Grill, a company spokesman, in an email.

Although Lightspeed didn’t provide specifics, it said the passwords that
were accessed were secured with “advanced encryption technology” that
Lightspeed upgraded in January 2015.

WATCH NOW

How to enter Windows 10 Safe Mode (1:35)
Winging it with the Chroma and Dragonfly drones

An investigation is already under way, and Lightspeed has sent out an email
alert to clients. The company is recommending clients change their
passwords.

Point-of-sale systems have become an attractive target for cyber criminals,
often because attacking one system can also mean access to dozens or
hundreds of retail stores.

In Lightspeed’s case, the company has business clients with $12 billion in
transactions annually. These clients include many smaller retailers that
sell clothing, jewelry, books and sporting equipment. The company’s retail
point-of-sale system operates as a cloud-based service that can work on
iPads and other devices.

In response to the breach, Lightspeed is limiting “personal access” to the
company’s production infrastructure and sensitive data. It’s also upgrading
its security to detect more advanced attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160902/183a9195/attachment.html>


More information about the BreachExchange mailing list