MICROS, a point-of-sale (POS) payment systems vendor owned by Oracle, has suffered a malware attack according to security news site KrebsOnSecurity reported August 8, 2016.  MICROS is one of the three largest POS systems used globally by many companies in the retail and hospitality industry. It appears that Carbanak (aka Anunak), a Russian cybercriminal gang known to hack into retailers, penetrated up to 700 computer systems at Oracle, also compromising a customer support portal for companies using Oracle’s MICROS POS credit card payment systems.

Krebs indicated that Oracle first began investigating this incident on July 25, 2016 after receiving an email from a MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

Notably, while the extent of the incident is still under investigation, Oracle has acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems”  and is asking all MICROS customers to reset their passwords for the MICROS online support portal as well as the passwords for any account that was used by a MICROS representative to access their on-premises systems. Oracle also indicated that its corporate network and other cloud and service offerings were not impacted and that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

Oracle’s statements and use of the term “on-premise” (which refers to POS devices that are physically connected to cash registers at MICROS customer stores) raises some questions as to whether Oracle is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer and upload card-fraud malware to customer point-of-sale systems, thus making the customer’s on-premise devices vulnerable as a result of the malware attack.

While it is not yet known how, or if, retail companies have been affected, retail and hospitality MICROS customers should consider conducting the following:

  • Confer with their IT department and/or forensic consultants.
  • Follow Oracle’s instructions to reset their passwords for the MICROS online support portal and their passwords for any account that was used by Oracle to access their on-premises systems.
  • Check their POS systems for any installed malware.
  • Should there be an infiltration as a result of this vulnerability, or for any other reason, companies would be wise to consult with their insurance broker as to whether they have potentially applicable insurance and, if so, notify their insurer.
  • Comply with any applicable regulatory obligations, including notifying their customers of any confirmed breach of their security systems.