Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Chipotle Breach Exposes Continued Point-of-Sale Cyber-Security Risks

    By
    SEAN MICHAEL KERNER
    -
    May 30, 2017
    Share
    Facebook
    Twitter
    Linkedin
      PoS malware

      Restaurant chain Chipotle Mexican Grill is the latest to reveal that its payment card systems were breached, exposing users to cyber-crime risks.

      Chipotle first began to investigate the possibility of a Point-of-Sale (PoS) breach on April 25 and has now confirmed that many of its restaurants were in fact exploited by PoS malware between March 24 and April 18.

      “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle wrote in a security advisory. “There is no indication that other customer information was affected.”

      Chipotle has not publicly identified the specific strain of PoS malware that infected its systems, though it has stated that the malware has been removed. Chipotle has also stated that it is working with undisclosed cyber-security firms to help improve the company’s security.

      The incident at Chipotle is far from unique and follows a series of restaurant and retail breaches that have occurred in recent years. Thus far in 2017 restaurant chain Arbys disclosed a breach in February and retailer Brooks Brothers reported a breach in May.

      PoS Is Inviting Target

      PoS security incidents have been occurring on seemingly regular basis since at least December 2013 when retailer Target first disclosed that its systems were breached. After the Target breach there was increased scrutiny over PoS security as the retail chain tried to determine the root cause.  

      Though the Target breach should have served as a wake-up call to other retailers, other big name store chains also fell victim to PoS security incidents including Home Depot, which revealed a breach in September 2014.  Among the major sources of retail breaches in 2014 was a malware family known as Backoff, which the U.S Secret Service reported had infected more than 600 businesses.

      Retail and restaurant chains that handle credit cards are supposed to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), yet despite that compliance, breaches are still regularly reported. PCI-DSS defines best practices and operational procedures that are intended to help to keep payment card data secure.

      Despite the fact that the cause of PoS breaches have been examined and debated since at least 2014 and the fact that PCI-DSS compliance should limit the risk of breaches, incidents like the one at Chipotle, continue to occur.

      Though it is possible that some retail and restaurant PoS breaches involved zero-day malware, it’s more likely that the malware was already known, but perhaps just not yet patched by the victim. Having patched software is important to limit the risk of PoS malware, but so too are having multiple layers of monitoring in place.

      Just because malware gets onto a system, doesn’t mean that data has to get out. A Data Loss Prevention (DLP) type of technology platform can be used to further limit data loss risks. Watching administrative user credentials and activity for potentially malicious activity is another good best practice to help harden cyber-security defenses.

      The simple truth is that PoS malware is not new and the way PoS malware infiltrates a system and exfiltrates data is well understood by the cyber-security profession. Not every retailer however understands PoS attacks, or takes all the necessary steps to limit risks, which is why new PoS breaches  will continue to occur in the months ahead.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×