Research firm finds MICROS hackers infected more POS vendors

News by Bradley Barth

Trailing not too far behind the news that hackers have compromised a leading point-of-sale system is the new revelation that at least five more vendors have been hit with similar breaches

Fresh off the revelation that hackers compromised the customer support portal for Oracle's MICROS point-of-sale systems (POS), the retail and hospitality industry was rocked again by reports that at least five more POS vendors were similarly breached by the same hackers.

A report published yesterday by, citing founder and CISO of Hold Security Alex Holden, states that the hackers responsible for the MICROS plot also infiltrated the servers of POS and cash register providers Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. Collectively, these companies supply at least one million POS systems to retailers, restaurants, hotels and other enterprises around the world.

However, in an interview with, Holden noted that he publicly named only those vendors that have actively responded to his firm's disclosure of the threat. "From our perspective, the list is larger," he cautioned.

According to a report from Brian Krebs, two security experts said that the MICROS' compromised support portal was communicating with a server linked to the Carbanak Gang, a Russian cyber-crime syndicate. By infecting and secretly communicating with a POS vendor's network, adversaries can lie in wait for said vendor's business customers to log in, and then steal their passwords in order to gain access to their POS systems and implant malware that steals customer payment data.

According to Holden, many hackers no longer want to directly target specific retailers' POS infrastructures, instead preferring to infiltrate the POS vendor itself. "They want to go to the source, the want to abuse [POS systems] in mass quantities," he explained, noting that by compromising a POS vendor's network, an adversary can opportunistically attack bevy of merchants in one fell swoop, not just one at a time.

This "new wave" of POS attacks could potentially cause breach incidents to spread like "wildfire," he warned, when asked if he anticipated a surge in incident disclosures.

“Businesses need to regularly update POS systems for legitimate business reasons. But the same access tools that facilitate this update process are the weak points that criminals exploit," said George Rice, senior director at HPE Security - Data Security. "Once they gain access, thieves may exfiltrate sensitive cardholder data by embedding data-stealing malware into the merchant POS. More often than not, malware will reside in insecure systems for months before being detected, which can expose large quantities of sensitive data records to data thieves."

Holden said that in the wake MICROS report, his firm conducted an historical data analysis that appeared to link the black-market activity of one particular hacker – "on our radar since 2013" – to multiple POS vendor compromises, thus revealing the plot.

"I am personally surprised by the ease with which hackers were accessing these victims," said Holden. These were not advanced exploits of zero-day vulnerabilities, but rather simple intrusions that should have been quickly detected and mitigated, he added. "It's not [showing] how good the hackers are, but it is showing how bad the security of... these sites is." has reached out to the five named POS vendors for comment.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike