Restaurant chains possible victims of POS data breach

Another day, another data breach, this time effecting yet unnamed restaurants in the northwestern United States.

Information & Supplies, a Vancouver, Washington-based POS and security systems provider, recently notified restaurant customers of a remote-access compromise that may have exposed credit and debit card data from POS transactions between Feb. 28 and April 18.

"We recently discovered that our LogMeIn account was breached on February 28, March 5 and April 18, 2014," said IS&S President Thomas Potter in the letter obtained by Bank Info Security. "We have reason to believe that the data accessed could include credit card information from any cards used by your customers between these dates."

Once again, the point of intrusion appears to be a third party vendor, a method similar to that used in the Target breach that compromised the credit card and personal information of more than 70 million shoppers.

"This latest breach is another wake up call for retail and hospitality companies to evaluate their vendors and the tools they use to remotely access and support POS systems and networks," said Boatner Blankenstein, senior director of solutions engineering for Bomgar, a secure remote IT access provider. "This gets complicated in the franchise model because each franchise typically selects its own POS and IT service vendors, who in turn select their own remote access tools."

Even when these vendors select modern remote access tools, they often use simple or shared login credentials, with no multi-factor requirement, making them an easy target for hackers with keystroke loggers, explained Blankenstein in an email. "At a minimum, companies should mandate that all vendors use a remote access tool that discourages shared credentials, captures a complete audit trail of all remote support activity, and supports multi-factor authentication. But there's an opportunity for large franchisors to take remote access security beyond simply publishing best practices."

For more:
-See this Bank Info Security story

Related stories:
Retailers unprepared for more breaches
Domino's Pizza data hackers demand ransom
How to prevent Target-like data breaches
Will PF Chang's data breach speed EMV?
Shoppers stop buying online after breaches