Security Alert: Oracle Micros POS Breach

P2PE vs E2EE

Oracle Micros Data Breach Summary

Hacked: Oracle Micros POS Division

Hacker: Carbanak Gang (Russian Cyber Crime Syndicate)

Affected Systems: Oracle Micros Support Portal, Oracle Micros systems

Size and Scope: TBD

Immediate Action: Customers should immediately reset passwords for the Oracle Micros Support portal

More Information

Oracle Micros has announced that a data breach, of yet unknown size and scope, has affected their customer portal and some computers and servers within their retail division.  The full scope of the breach is still unknown.  Merchants who have implemented a PCI Validated P2PE solution (and likely any SRED-based encryption solution) need not worry, as a properly implemented PCI P2PE solution does not allow unencrypted data within the POS environment (even if the POS server is hosted in the cloud).

A core requirement for PCI P2PE solutions is that the merchant has no access to the decryption key, and therefore nor does the compromising hacker, making encrypted card data relatively impossible to decrypt.  Major data breaches have not subsided, and all merchants – regardless of size – should consider de-sensitizing and removing their environment from scope by implementing a PCI P2PE security solution to protect their customers’ data.  The PCI Security Standards Council built the P2PE standard for a reason, and it is the best option for any merchant looking to protect their organization and brand.  The full list of PCI P2PE solutions can be found here:

Full Article (Source: Krebs on Security)

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems. Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.

KrebsOnSecurity first began investigating this incident on July 25, 2016 after receiving an email from an Oracle MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

“I do not know to what extent other than they discovered it last week,” said the reader, who agreed to be quoted here in exchange for anonymity. “Out of abundance of caution they informed us and seem to have indicated the incident was isolated to Oracle staff members and not customers like us. In addition, this notice was to serve to customers the reason for any delays in customer support and service as they were refreshing/re-imaging employees’ computers.”

Read more

About PCI Blog 1420 Articles
PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.

Be the first to comment

Leave a Reply