Retail data breaches caused by vendor security problems

Grab a burger at Sonic or roast beef sandwich from Arby’s and watch a new episode streaming on Netflix in your hotel room—what do these consumer-related activities have in common? Each retail business was hacked through a third party connection in the last year. Retail point of sale (POS) is plagued by criminals whose business is hacking POS systems and devices. In 2013, the first big POS hack to hit the headlines was the Target data breach. The incident set the stage for most POS attacks to come—hackers infiltrated the retail giant’s network through a third-party vendor (in this case, the insecure connection of an HVAC contractor) and planted malicious code that collected credit card information on Target shoppers. Fast forward to today and the same method is being used widely across the retail sector. Just a few recent examples include:

• Late last year, the fast-food drive-in chain, Sonic, with outlets in 45 states, was hit with POS malware.  Media reports note that millions of credit card numbers from cards used in transactions with Sonic were allegedly placed for sale on the web. As noted in a statement to Krebs on Security, Sonic stated, “We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor.”
• Another fast-food restaurant, Arby’s, was also hit with malicious code installed on POS devices in corporate-owned Arby’s restaurants around the country. The attacks on Sonic and other restaurants like Wendy’s continue the ongoing pattern of harvesting financial and personal information from the infected sales devices of third-party POS vendors.
• Hackers attack the third-party connections of other types of retail providers as well. In May 2017, hackers compromised the third-party post-production vendor of the producers of the hit original Netflix program “Orange is the New Black.” When ransom demands were not met, the criminals released stolen episodes from season five of the popular series.
• Hotel chains are repeatedly attacked by criminal enterprise targeting POS-devices. Within the last year, InterContinental Hotels Group (IHG), which owns brands like Holiday Inn, Crowne Plaza, and others, revealed approximately 1,000 of its properties had been hit by malware that collected customer credit card data. Security reporter Brian Krebs also reported in October 2017 that Hyatt Corp. had suffered its second credit card breach within two years. Again, compromised third-party POS devices played a key role.

Across the retail landscape, e-commerce and brick and mortar businesses alike are at risk of losing data and dollars due to insecure third parties. For retail owners, using a secure remote access platform reduces the possibility of a security breach and gives you the tools to understand and manage who is on your network, and what they are doing.