NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach.
The acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup, a chain of some 75 soup eateries spread across the northern half of the United States and Canada.
Last week, KrebsOnSecurity reached out to Zoup after hearing from financial industry sources about fraud patterns indicating some sort of card compromise at many Zoup locations. Zoup CEO Eric Ersher referred calls to NEXTEP, saying that NEXTEP was recently informed of a security issue with its point-of-sale devices. Ersher said Zoup runs NEXTEP’s point-of-sale devices across its entire chain of stores.
In an emailed statement, NEXTEP President Tommy Woycik confirmed Ersher’s account, but emphasized that the company does not believe all of its customers are impacted.
“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” Woycik wrote. “NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue. We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed. This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”
A breach at a point-of-sale vendor can impact a large number of organizations, and historically the chief victims of POS vendor breaches have been food service establishments. Last year, a pattern of credit card fraud at hundreds of Jimmy Johns sandwich shops across the country was traced back to security weaknesses that fraudsters were exploiting in point-of-sale systems produced by POS vendor Signature Systems Inc. Signature later disclosed that the breach also impacted at least 100 other independent restaurants that use its products.
Earlier this year, Denver-based point-of-sale vendor Advanced Restaurant Management Applications (ARMA) disclosed that malware attacks on its POS devices exposed credit and debit cards for a number of its clients’ customers in Colorado, many of them restaurants.
Another point-of-sale vendor breach uncovered last year by KrebsOnSecurity — that of C&K Systems — lasted 18 months and resulted in card fraud for customers of some 330 Goodwill locations nationwide.
It’s unclear what’s behind the NEXTEP breach, but if previous such breaches are any indicator the incident may have involved stolen credentials used to remotely administer affected point-of-sale systems. In June 2014, POS vendor Information Systems & Supplies Inc.notified (PDF) customers that a breach of its Log-Me-In account exposed credit card data of stores that used its systems for nearly two months last year.
With remote access to point-of-sale devices, crooks can then upload card-stealing malicious software to the POS terminals. The stolen card data is quite valuable — typically selling for anywhere from $20 to $100 per card on underground cybercrime stores. Crooks can encode the stolen card data onto anything with a magnetic stripe and use the counterfeit cards to buy high-dollar merchandise at big box stores.
It seems quite likely that we’ll hear about additional breaches at POS vendors in the weeks ahead. KrebsOnSecurity is currently in the process of tracking down the common thread behind what appear to be breached POS vendors tied to three different major cities around the country.