Payment processor Verifone is investigating a breach of its systems, with knock-on effects on a number of companies running its point-of-sale machines.
The company told investigative journalist Brian Krebs that the breach was “limited to its corporate network”, and that the payment services network was not affected.
Krebs writes: “Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the swiping and processing of credit and debit card payments at a variety of businesses, including retailers, taxis, and fuel stations.”
On 23 January, Verifone sent an “urgent” email to all company staff and contractors, warning they had 24 hours to change all company passwords.
“We are currently investigating an IT control matter in the Verifone environment,” reads an email memo penned by Steve Horan, Verifone's senior vice president and chief information officer. “As a precaution, we are taking immediate steps to improve our controls.”
The internal Verifone memo also informed employees they would no longer be allowed to install software of any kind on company computers and laptops.
Asked about the breach reports, a Verifone spokesman said the company saw evidence in January 2017 of an intrusion in a “limited portion” of its internal network, but that the breach never impacted its payment services network.
“In January 2017, Verifone's information security team saw evidence of a limited cyber intrusion into our corporate network,” Verifone spokesman Andy Payment said. “Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.”
Payment declined to answer additional questions about the breach, such as how Verifone learned about it and whether the company was initially notified by an outside party.
But KrebsOnSecurity.com reported that a source with knowledge of the matter said that Verifone was responding to a notification received from credit card brands Visa and Mastercard a few days prior to Verifone's employee alert.
Brian Vecci, technical evangelist at Varonis, said this represented a major failure of the POS provider. “Unlike Target where a contractor's credentials were used to compromise POS system, in this case the POS provider itself was compromised. With the prevalence of SaaS providers of all types replacing many in-house systems, organisations have to be more vigilant about what data they provide to their partners and how that data is secured.”
Itsik Mantin, director of security research at Imperva, said: “Whether or not it happened depends on many factors, one of the most important ones is how much time had passed from the breach to its discovery. From what we know, breaches remain undiscovered for weeks, months and sometimes even years when, during this period, attackers can collect sensitive data and record users credentials without interference. Then a single user that uses the same or similar password to access both the enterprise network and the payment system can be the bridge for the attacker to travel between the systems.”