Oenophiles be warned: hackers have apparently breached security and managed to steal customer payment-card data from Missing Link Networks, Inc., a card processor and point-of-sale (POS) vendor serving a number of wineries primarily in northern California.
The hackers were able to steal information about payment card transactions during the month of April 2015.
Security expert Brian Krebs first investigated such claims earlier this week, when one of his sources at an unnamed Sonoma winery told him that the winery's POS processor, provided by Missing Link, had been breached. Today, Missing Link CEO and founder Paul Thienes released a statement confirming the problem:
Beginning on May 27, 2015, we began notifying our winery customers that eCellar Systems, our consumer-direct sales platform, had been breached during the month of April, 2015 by an unknown intruder. To that end, each of our winery clients will be sending out notice of this event to their customers and it is likely that individual consumers may receive a similar notice from multiple wineries.
Anytime you hear about a single hacking incident affecting many different businesses (such as wineries) rather than a single company, that usually indicates a POS rather than a database breach. Rather than break into a company's database to steal whatever information might be in its computer files, the hackers will somehow manage to plant malware on the point-of-sale systems that handle electronic payments, and can then steal whatever information is used to conduct further transactions on the affected systems.
Think of it as the business-payment-systems equivalent of keylogging malware on a regular computer: it can't read your previously saved files, but it does read and record everything you type from the point of infection onward.
Regarding the POS breach at Missing Link Networks, Thienes went on to say that the hackers “gained access to customer names, credit/debit card numbers, the related billing addresses, and any dates of birth in our system during the window of April 1st through 30th this year,” but “did not have access to any driver license numbers, Social Security numbers, CVV verification numbers, or PIN numbers (data which we would typically not collect anyway).”