Oracle's MICROS point-of-sale division has been breached, including a compromise of a customer support portal for companies that use the MICROS PoS systems, according to a report from security reporter Brian Krebs.
Carbanak, the Russian organized cybercrime gang, has been implicated in the attack, according to Krebs. So far, details of the breach are sparse, and it's unclear when the breach occurred and how long it lasted. Oracle has not yet released any further information about the breach other than a notification letter sent to MICROS PoS customers.
"Oracle Security has detected and addressed malicious code in certain legacy MICROS systems," the letter read. "To prevent a recurrence, Oracle implemented additional security measures for the legacy MICROS systems. Consistent with standard security remediation protocols, Oracle is requiring MICROS customers to change the passwords for all MICROS accounts."
Krebs wrote that hundreds of computers may have been breached at Oracle, according to anonymous sources, and the MICROS customer support portal was observed communicating with a server linked to the Carbanak cybercrime group. Carbanak was linked last year to the theft of up to $1 billion from as many as 100 banks and financial institutions.
Although the database giant offered no further information, Oracle's notification letter offers clues to what may have happened and what is at risk. Oracle noted that its corporate network and other cloud and service offerings were not affected by the attack, and that only the Oracle MICROS division was affected. The company also stated that "[p]ayment card data is encrypted both at rest and in transit in the MICROS hosted environment," suggesting that consumer payment information was not compromised.
However, the mandatory password reset suggests that MICROS PoS customers' usernames and passwords have been compromised; Oracle also warned: "We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems."
Oracle acquired MICROS Systems in 2014, for approximately $5.3 billion. Oracle says it now provides integrated MICROS PoS software, hardware, services and cloud products to approximately 330,000 locations for customers in the hospitality, food and beverage and retail industries across 180 countries.
With the timeline of the breach still undetermined, John Bambenek, manager of threat systems at Fidelis Cybersecurity in Waltham, Mass., urged Oracle MICROS clients to investigate their past interactions with the customer support portal.
"If I were a MICROS customer, I would review all received support emails over the past year or so looking for evidence of social engineering or using their ticketing system to deliver malicious payloads," Bambenek said. "Unfortunately, until more details are known there isn't much actionable information to be used."
Find out more about how the Oracle MICROS PoS breach demonstrates supply chain risks.
Learn more about how the Carbanak cybercrime group operates.
Read more about endpoint management lessons that can be learned from PoS breaches.