Oracle’s MICROS systems handle credit card payments at some 330,000 cash registers worldwide. And they've fallen victim to a major breach, possibly spearheaded by a group of Russian cybercriminals. That could put a whole lot of personal information at risk.
Late last month, security researcher Brian Krebs received a tip that Oracle MICROS systems may have been compromised. On investigating further, he confirmed that the MICROS customer support portal had been accessed by a server associated with the Carbanak Gang, a Russian syndicate that Krebs says “is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years.”
It appears that the intruders loaded the MICROS portal with malware, which then went on to log the usernames and passwords of customers when they logged on.
Oracle confirmed the intrusion in a letter to MICROS customers, which it also sent to WIRED in lieu of a statement.
“Oracle Security has detected and addressed malicious code in certain legacy MICROS systems,” the letter reads. “Oracle’s Corporate network and Oracle’s other cloud and server offerings were not impacted by this code.”
At this point the extent of the damage isn’t entirely clear. Certainly any business that uses the MICROS support portal should consider its credentials compromised. Oracle is requiring all MICROS customers to change their account passwords.
The real question, as Krebs notes, is whether the hackers were able to use those pilfered credentials to upload malware that stole credit card information, a much more serious breach for consumers. Oracle says that payment data is encrypted “both at rest and in transit in the MICROS hosted environment,” but that could imply that the devices that actually interact with your credit cards in stores could still have been compromised.
“It is not unreasonable to assume that many point-of-sale systems have become points-of-sabotage for Russian cyber criminals,” says Adam Levin, founder of the identity protection firm IDT911. Again, as of 2014 MICROS was used at 330,000 sites across 180 countries. You’re more likely to have swiped your card at one than not.
Maybe not too serious, if the damage really was limited to a customer service portal. If a Russian cybergang was able to use that access to siphon credit card numbers, though, the consequences could be plenty serious (and costly).
For consumers, the only course of action is the one you’re likely already taking. Monitor your credit card accounts, and if you see something askew, tell your bank. This Oracle breach may end up making things worse, but identity theft has already become a matter of when, not if.
