The bad news is, there's been another point-of-sale (POS) hacking which has compromised the credit- or debit-card information of Zod-knows however many Americans who used their cards to pay for things at the affected locations.
The worse news is, the list of affected businesses hasn't been made available yet, so as of now you can't even check to see if your own recent buying history puts you at risk.
Computer-security expert Brian Krebs, known for having first uncovered previous hackings at Home Depot stores, JP Morgan Chase banks, and numerous other mass customer-data thefts, announced today that Harbortouch is the latest POS vendor to suffer a data breach, and it looks like a big one:
Last week, Allentown, Pa. based point-of-sale (POS) maker Harbortouch disclosed that a breach involving “a small number” of its restaurant and bar customers were impacted by malicious software that allowed thieves to siphon customer card data from affected merchants. KrebsOnSecurity has recently heard from a major U.S. card issuer that says the company is radically downplaying the scope of the breach, and that the compromise appears to have impacted more than 4,200 Harbortouch customers nationwide.
POS vs. database breach
Anytime you hear about a single hacking incident affecting many different companies and businesses, that usually indicates a POS rather than a database breach: rather than break into a company's database to steal whatever information might be in its computer files, the hackers will somehow manage to plant malware on the point-of-sale systems that handle electronic payments, and can then steal whatever information is used to conduct further transactions on the affected systems.
Think of it as sort of like the business-payment-systems equivalent of keylogging malware on a regular computer.
Last September, in another incident first uncovered by Krebs, someone managed to place malware on various POS systems made by Signature Systems, a third-party payment vendor whose malware-infected clients included over 200 different Jimmy John's Gourmet Sandwiches stores (out of approximately 1,900 Jimmy John's locations in all), and 108 other restaurants, mostly independent mom-n-pop businesses.
At the time, Signature Systems released a list of those 108 restaurants although that list wasn't particularly useful because it only mentioned company names, without street addresses, cities or even states. For example: Signature's list mentioned that a “Mario's Pizza” was affected — and the U.S. has hundreds if not thousands of different independent restaurants going by that name, scattered across all 50 states.
Less than a week after news of the Jimmy John's/Signature Systems breach came the announcement that some, but not all, supermarkets under the names ACME, Albertson's, Jewel-Osco, Shaw's, Star and SuperValu had been hacked; once again, thieves had managed to place malware on the POS systems used by certain locations in the company.
And less than three weeks ago, the White Lodging Services Corporation (which operates franchises under brand names including Marriott, Courtyard, Renaissance and Sheraton, among others), admitted that hackers had managed to breach the point-of-sale systems used — not by White Lodging-owned hotels, but by the bars and restaurants attached to some of them.
So what's going on with Harbortouch POS systems? According to Brian Krebs' financial-industry sources, in the weeks leading up to Harbortouch's initial disclosure, they noticed a pattern of fraudulent activity vast enough for them to initially suspect a security breach at a credit card processing company somewhere.
It was bad enough that various card-issuing banks started changing the way they processed debit-card transactions. For example, United Bank, based in Glastonbury, Connecticut, put this notice at the top of its webpage:
In an effort to protect our customers after learning of a spike in fraudulent transactions in grocery stores as well as similar stores such as WalMart and Target, we have instituted a block in which customers will now be required to select ‘Debit’ and enter their ‘PIN’ for transactions at these stores when using their United Bank debit card.
That said: Harbortouch maintains that, while there has been a breach in some of its POS systems, it only “affected a small percentage of our merchants.” Yet Krebs' anonymous source at a “top 10 card-issuing bank” still thinks that the breach must have affected at least 4,200 different stores using Harbortouch POS systems. Still, when Krebs asked Harbortouch about this claim, the company repeated its earlier stance that the breach only affected a small percentage of its merchants.
Exactly who those merchants are, or where their businesses are located, has yet to be announced.