Oracle’s Data Breach May Explain Spate of Retail Hacks

The systems of the Oracle MICROS payment terminals division have been infected by a malware, systems worldwide are potentially at risk. The attackers infected the troubleshooting portal of the Oracle MICROS payment terminals to steal customers’ login credentials, then use the usernames and passwords to access their accounts and gain control over their MICROS point-of-sales (POS) terminals. IT Security Experts from ESET, Lieberman Software and Imperva commented below.

Mark James, Security Specialist at ESET:

“Oracle’s MICROS system has been compromised by malware; this could have been a targeted attack through some means of phishing process or just a lucky random catch. Once infected this enabled the usernames and passwords of MICROS customers to be sent off site for potential further malware infiltration. MICROS is believed to have over 330K sites across 180 countries and includes big names in the retail and hospitality industry. When these customers log in to their support website or ticketing system for help the malware would then steal their login credentials enabling the attackers to potentially use those credentials at a later time to spread further malware which may have led to some of the big name breaches we have witnessed in recent months.

As this malware would be very stealthy it may have been there for some time secretly harvesting information without notice, because of the way malware infiltrates and propagates through systems it’s often chance that honey pots like this end up being captured and used for foul means but when they hit the jackpot the rewards can be massive.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

“Though these point-of-sale (POS) machines don’t look it, they’re essentially PCs under the covers. Like every other PC, they are vulnerable to attack by malware. The key problem is that since POS systems aren’t seen as PCs they aren’t protected like they are. Simple security basics like rotating and protecting admin credentials aren’t typically applied to POS systems. Like any other unprotected PCs, this almost ensures they will become a target. People need to see POS systems for what they are: PCs attached to the network handing sensitive customer information. Seen in that light, the PCs we call POS terminals will get the right security attention.”

Itsik Mantin, Director of Security Research at Imperva:

“This security incident against Oracle POS systems shows once again that no system is immune to security breaches. Like in other breaches, there are many unknowns, including 1) the length of time the malware was in the Oracle systems before discovery by the new security tools, 2) which data was stolen and 3) what the attackers have done with the stolen data.

It’s entirely possible that the data stolen in this breach including user credentials has been used to extend the hack into commercial web applications such as shops, hotels, and retail outlets.

This incident is yet again a lesson for any organization that has sensitive information: while attempting to avoid infection and penetration, you must have other plans in place to detect and contain an infection or a breach once it happens. It’s not enough to rely on password policies, which are of no use when the credentials are stolen, to prevent attacks. Those in charge of web applications should be mindful to take specific detection measures to validate the authenticity of login to the system, treating with caution login from unexpected countries or anonymous networks, or logins from a web bot and rate limiting login attempts, in particular, those using credentials known to be stolen.”