Cleveland-based Select Restaurants Inc., a national chain of upscale restaurants and bars, has experienced a breach exposing customers’ payment card data through point of sale technology, according to data security expert Brian Krebs.
The hack came to light through a Google notification that Select Restaurants’ site may have been hacked, Krebs said in a March 16 report.
The breach appears to have been the result of an intrusion at Select Restaurants’ point of sale vendor, Geneva, Ill.-based 24X7 Hospitality Technology, Krebs reported. Select Restaurants, which operates Boston’s Top of the Hub and the Rusty Scupper in Baltimore, Maryland, among other locations, in February notified customers of “a sophisticated network intrusion through a remote access application,” according to Krebs.
This latest breach shares characteristics with many other recent breaches of midsize hospitality companies, which often begin when fraudsters launch phishing attacks to obtain the password to remotely administer a POS system; the scammers can then apply the PoSeidon malware to siphon card data when cashiers swipe credit cards at compromised cash registers, Krebs said in the blog post.
Many merchants remain vulnerable to such POS malware attacks because of weak defenses, said John Christly, global chief information security officer for Netsurion, which provides data security.
“These remote-access services can be poorly configured with guessable passwords, enabling the hackers to break in and distribute the malware to hundreds or thousands of POS machines,” Christly said. “It doesn’t help that malware can be tricky to detect, sometimes sneaking past antivirus programs to stealthily extract payment data, despite the presence of traditional firewalls.”
Bulwarks against POS malware attacks require a layered approach with file integrity monitoring, unified threat management appliances, security information and event management and advanced security solutions to stop attacks on endpoint computers and servers before they can wreak havoc on other systems, according to Christly.