August 8, 2016

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

ocAsked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems. Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.

KrebsOnSecurity first began investigating this incident on July 25, 2016 after receiving an email from an Oracle MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

“I do not know to what extent other than they discovered it last week,” said the reader, who agreed to be quoted here in exchange for anonymity. “Out of abundance of caution they informed us and seem to have indicated the incident was isolated to Oracle staff members and not customers like us.  In addition, this notice was to serve to customers the reason for any delays in customer support and service as they were refreshing/re-imaging employees’ computers.”

Two security experts briefed on the breach investigation and who asked to remain anonymous because they did not have permission from their employer to speak on the record said Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years.

Many well-known retail, hotel and food & beverage brands use MICROS.

Many well-known retail, hotel and food & beverage brands use MICROS.

A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems.

Those sources further stated that the intruders placed malicious code on the MICROS support portal, and that the malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in the support Web site.

Oracle declined to answer direct questions about the breach, saying only that Oracle’s corporate network and Oracle’s other cloud and service offerings were not impacted. The company also sought to downplay the impact of the incident, emphasizing that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

In a statement that Oracle is apparently in the process of sending to MICROS customers, Oracle said it was forcing a password reset for all support accounts on the MICROS portal. Oracle added: “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”

ANALYSIS

This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.

Indeed, Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer — and, more importantly, to upload card-stealing malware to — some customer point-of-sale systems. The term “on-premise” refers to POS devices that are physically connected to cash registers at MICROS customer stores.

Avivah Litan, a fraud analyst at Gartner Inc., says Oracle seems to be saying its systems are encrypted, but that it’s the customer’s on-premise devices where the real danger lies as a result of this breach.

“This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider,” Litan said. “I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.

Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

The breach comes at a pivotal time for Oracle, which has been struggling to compete with other software giants like Amazon and Google in cloud-based services. Last month, Oracle announced it would pay $9 billion to acquire NetSuite Inc., one of the first cloud-services companies.


112 thoughts on “Data Breach At Oracle’s MICROS Point-of-Sale Division

  1. John Jacob

    I believe the Bloomin’ Brands also use Micro’s

    1. Joe

      Bloomin Brands does not use MICROS. All BBI sites are use POSitouch.

  2. Anonymous

    Wondering if this is the same group.
    I had my debit account drained in 4 min on Friday evening
    by Admiral Discount T.

    I saw the test transaction show up on my phone,
    3 min later they had all of it. Could not get on the phone fast enough.

    1. somguy

      This is why you use credit card instead, or use debit set to secondary bank account, or withdrawal limits, etc.

      1. superninj4

        Yep, I haven’t bought anything with debit in years.

        At least if someone gets your cc info, you’re not immediately out actual money.

      2. E.M.H.

        Or a reloadable debit card from someplace like Simple, or AmEx Serve (which is sort of close to what you said in the second sentence). But yes, in principle I agree about shielding your bank’s debit card. That’s only smart. I myself have been hit twice via debit card compromise, and while I got fully reimbursed both times nearly immediately, it was still a bit of a hassle. Ever since then, it’s been all intermediary payment cards.

        1. Rick

          Or be like me and don’t even have a debit card.

  3. Tom R.

    @Anonymous

    Were you able to get your funds back?

    1. Anonymous

      Yes. They canceled the card and transactions on Friday.
      All my cash is back in on Monday (Today).

  4. Bruce L.

    If you do business with one of these vendors, and you use Apple Pay or one of the other variants of this type of coded transaction, could you be affected?

    1. Sasparilla

      Apple (Google) Pay generate one time use transaction numbers, so if the bad guys are grabbing stuff from merchants (as is suspected here) then you’d be good.

      However, if the bad guys are getting stuff from the backend at Oracle then I don’t know.

    2. Jim

      The simple answer is yes. Do not have Apple pay tied to your accounts at banks, especially any money accounts. Have it actlike a debit card. A set amount, like this week’s Starbucks, and a few meals. Don’t think they are not trying to compromise the system. It’s just a matter of time. And they won’t tell you first.

  5. Jay

    Many POS sites have moved to separate pin pads for credit cards, and no longer swipe on the register. But not all.

    Also, Micros uses TransactionVault which tokenizes the credit card data so it is not really on the server. I believe they were encouraging their clients to use either FreedomPay or Elavon pin pads, both of which use P2PE.

    1. somguy

      None of which matters if they get credentials to login to customer computers remotely (which this story suggests was a possibility)

      1. Brooke

        I don’t know why you’d think that. If the credit card swipe is encrypted at the swipe device, it’s never in memory, storage or on the network in the clear for the bad guy to snoop/take. SO if your pin pad is configured for end to end encryption with tokenization, you could be sitting with malware on the PC running the payment software but not get the credit card of a swipe. That’s the whole idea. Many retailers choose not to do this, usually because it costs a few cents per transaction to encrypt your data and you probably have to replace your pin pad readers and make code change. But, it’s not in the clear if you’re encrypting it properly except at the swipe device and wherever you process payments. You could be totally owned on a malware laced PC and your CC data should be good. Now, they could do other horrible things once on the payment station but they shouldn’t get your credit card data.

        I don’t why this is so difficult to understand and people in high up decision making places can’t wrap their little heads around it (or big egos).

        1. Ryan Mack

          Nonsense. End to end encryption is worthless if one of the endpoints is compromised (as would be the case here). If the PC is compromised any other programmable device connected to it can also be compromised (in most cases, right down to the firmware).

          1. Grit

            Brooke is mostly correct here, actually. Point to Point Encryption is a technology that has been glossed over in favor of far less impactful security measures.

            P2PE is designed to protect against exactly what you describe – a complete compromise of the Point-of-Sale terminal. If properly implemented, there is nothing the attacker can do to reverse encryption on a pad. It’s not a setting that can simply be turned off and on. Try to mess with the pad firmware and you’re likely to brick the device. They’re designed to be pretty well tamper proof.

            I’ve yet to see a proven instance where card information was stolen in transit from an encrypted pad transaction. I wouldn’t go so far as to say its impossible – but it hasn’t been done yet, and probably will never be worth an attackers time to try to reverse engineer a credit pad. It would be immediately obvious something is wrong when the retailer starts seeing un-encrypted card numbers coming through their system again.

            1. Jim

              The point everyone is forgetting, all encryption from a sales, has to contain certain data. One of the data segments, has to have a key. Remember in communication and databases, things have to fit certain points. And in certain formats. That is from someone who worked in assembly and db1. So there are commonalities in all the transmissions. Now add in a third party, who receives the same data. They get the whole thing, to and from the parties involved. Do you need all the data, or just the bouncback, that says, sale accepted?

            1. Brooke

              I can tell you for a fact, at a decent sized retailer when we looked into encryption at the pin pad, we never would get the keys. Only the bank processor that we passed the encrypted transactions to could open them. The Pin pad encrypted it, the host OS it was plugged into, couldn’t. Yes, there are ways to get at that data and if you have the keys you can certainly decrypt. But the “who has the keys” question is one person in this equation. You’d have to breach the retailer and the bank, not impossible but certainly better than just breach the retailer.

        2. Ken

          Brooke the quick answer is cost. P2PE requires new hardware with key injection and an additional cost per transaction to the P2Pe provider. The costs add up especially if you just did a EMV roll out. If you are lucking you might not need new gear but a key injection into the card reader is operationally expensive and time consuming task for all but the smallest merchants and they generally can not afford any of these precautions. You are still left with an additional fee per transaction from P2Pe provider.

    2. Ken Robinson

      As the article mentioned, the issue does not seem to be that the breach at Oracle allowed direct access to credit card information, but instead, allowed the attackers a means to install malware on a customer’s account that would allow it to be upload to the POS terminals.

      If the breach of credit card information was done directly on the Oracle systems, it is likely that the source of many breaches would have been found by now. But, a breach of this manner makes it more difficult to determine the single central source where the compromise was made.

      For instance, I wonder if the Wendy’s breach originated from this. The last I read, after the original round of malware was cleaned, more popped up, and they weren’t able to determine how it was happening. This could explain it, and is a reason why I’ve always tried to stress that you have to protect your code and code repositories with the same due diligence that you protect the actual data, and maybe even more.

  6. ZerodaY

    Possible they used the Micros support portal as a watering hole attack to conduct drive-by malware downloads of BlackPOS, POSeidon, or any other current RAM scraper to the merchant victim POS networks. Probably more effective than trying to stay in Oracle’s network and would provide huge amounts of magstripe data.

  7. kjstech

    They forgot the oft. Get it MICROS oft MICROSoft Microsoft!

  8. Jeff

    I use cash. To the best of my knowledge, my cash has never been hacked or compromised.

    1. E.M.H.

      Every time a POS or payment card story comes up, there’s always at lease one guy who has to post this. Every time.

      The problem is that it’s a bad point of view. It presumes that cash in hand is cash that’s safe. That is simply not the case. Cash stolen is often not recoverable. A credit card can be replaced, or if fraudulent charges are made, they can and almost always will be rectified. On top of that, who would carry around $10,000 of cash on their person and not be paranoid? I’d want a gun and an armed bodyguard if I did that. Yet, I could carry around that much buying power and more in credit cards yet confidently surrender it in a robbery while being safe in the knowledge that I can easily cancel those cards. And also have little to worry about other than inconvenience if the charges are made without my knowledge, armed robbery or internet theft.

      Outside of security, payment cards can be tied to purchases without receipts. Good luck doing that with cash. On top of that, what would the payment card equivalency of counterfeit currency be? A fake credit card? Regardless of all the problems that imposes, at least you’re not truly out of money as you would be if given counterfeit cash as, say, change or a purchase.

      I haven’t even covered the convenience factors inherent in mail and internet ordering.

      I don’t mean to pick on Jeff here, but these posts are so emblematic of backwards thinking. It presumes regression to past methods is a good solution to a current problem. It’s like proposing that going back to all paper is a great way to conduct business just because records are being hacked. It’s throwing away all the benefits that affect a bigger picture of efficiency, security, and consumer protection just to solve the single problem of hacking. That’s just backwards.

      1. Arbee

        It’s not directly relevant to Brian’s story, but balancing cash and plastic, I’d suggest: both. Yep, I have an assortment of plastic (credit only, no debit), but I’ve experienced protracted wide-spread weather-related power outages. In those circumstances, plastic was useless even as a flotation device. Not having some cash on hand would be silly. I’d leave the plastic-or-cash decision to the individual. It’s not either / or. Both options have merit.

        1. E.M.H.

          Well, I’m not saying I use zero cash, nor that there’s no place for it anywhere. I’ve got dough right now in my pockets for the vending machines where I’m at. And was using cash for tipping hotel service staff recently.

          My argument is against going back to *all* cash and avoiding cards period. Not against the circumstances where cash makes sense.

      2. jj

        Actually, I think he’s right. Credit cards were designed to be convenient. Too convenient, it turns out. Going backwards to go forwards is a temporary solution. Since reading Brian’s blog, I have used cash for almost all of my transactions, with the exceptions of airline travel and Amazon.

        Also, putting nutter words in this guy’s mouth like he’s living in a cabin in Montana hissing at passing cars. All he’s really saying is that his cash hasn’t been hacked. Is he wrong?

        Did you know that when the Germans discovered (via Snowden) that the Americans were spying on their communications, they considered going back to a paper system? It’s virtually unhackable, though, of course, not convenient. The tubes with the air vacuums, etc..

        1. E.M.H.

          *This* poster may have only made that statement, but you’ll note in my first paragraph I was addressing the people – plural – who always post in this vein. I wasn’t “putting nutter words” in one man’s mouth, I was addressing the sentiment that’s been made obvious by multiple posters over multiple threads here and elsewhere.

          Two, Germans “going back to a paper system”: Yes, German Parliment member Patrick Sensburg stated this outright. Yet, there’s strong opposition to the idea (“This call for mechanical typewriters is making our work sound ridiculous. We live in the 21st century, where many people communicate predominantly by digital means. Effective counter-espionage works digitally too. The idea that we can protect people from surveillance by dragging them back to the typewriter is absurd.” – Chrisitan Flisek), and the actual actions taken by the government center around using secure technology rather than going “paper” (One specific measure is the order to useg encrypted cell phones for sensitive calls and ban consumer phones from such tasks).

          Just because something is proposed doesn’t mean it’s a good idea, or even that the majority believes it’s good. Inefficiencies introduced by doing this would be phenomenal. And as IT security blogger Graham Cluley pointed out, going that route merely switchs one spying problem for another.
          I would argue that you are not correct about such systems being “virtually unhackable”; it just means the compromise of the data contained within takes different approaches. Ones that were used widely before the internet was even a dream.

        1. null

          These days Cash does make plenty of sense. Many people make lots of small purchases, so use cash for those. Doing that does not require someone to carry that much. I spend about $2000/year in cash, leave most of it at home, replenish as needed. As a result not that many businesses get my credit card number and the less that do, the less the risk.

      3. me

        How often are you robbed in person versus having a credit card number stolen and used? Credit cards numbers be stolen from across the world without you even knowing it was taken from you (why payment networks are accessible via the Internet in the first place never ceases to amaze me).

        Even if you wanted to pay cash for a $10,000 purchase, you would only need to carry it at the time you went to make the purchase, not all of the time. Or use a check.

        Why are we always waiting for incremental improvements to bad ideas? Why can’t we go back to what was tried and true while we wait for something better?

        1. E.M.H.

          Yes, card *data* can be stolen. But that in and of itself is merely a step towards actually obtaining the money a card represents. If a compromise is caught soon enough and the card invalidated, then no money gets lost, save for the minor amounts on the issuing bank’s end for processing a replacement card. You can’t say the same for cash. I can get “robbed” 10 times via card data compromise yet not lose any real money to begin with if the identification/cancellation process works fast enough. And even for those times when it doesn’t and money is taken, it gets refunded. I get zero refunds if I get robbed of cash, nevermind that it would occur less often. My point was not about rate of occurance, it was about remediation. There is no remediation when cash is stolen unless the police get extremely lucky. But theft remediation is built right into the payment card service.

          Re: Checks – not as secure a transaction. Plus, trivially forgeable. As a friend of mine attested to when I complained about my card having to be replaced in the Target breach (a check was presented against his account in some back in New Jersey. He’s never been there – he lived in the midwest at the time – and never wrote that check). I didn’t lose money in the Target breach (I did in other compromises, but not the Target one). He lost money in a scam so small it never even made local news. And he was all alone in proving the theft.

          Payment cards are not in and of themselves a bad idea. They have bad security implementations. That’s the real problem. And that’s why I say going back to cash is such a poor solution to it: It doesn’t fix the problem. It doesn’t encrypt the channels, nor force merchants to be more dilligent about upgrading their POS terminals, nor force card providers to be better about their PCI infrastructure. The real solution is to improve all that. Avoiding cards removes one customer who can provide pressure to the banks and processors to remedy those problems. That’s why I’m so against adamant about those posts. Even in the best circumstance, going back to cash puts the burden of loss onto the individual while removing the burden of remediation from the banks, which turns into yet one less reason to fix stuff.

          1. me

            I really do understand your position of “avoiding cards removes one customer who can provide pressure to the banks and processors to remedy those problems.” I used to be the same way about online banking — I started using it in the mid 1990s with a DOS program that dialed a modem to connect to my bank and download transactions before it became Internet based. I often felt like a guinea pig, but I hung in there hoping that by using it I would help them to work out the rest of the quirks compared to the “old fashioned” method. But it never got all the way better. I finally gave up online banking in 2011. I still have credit cards, but am using them less and less the more breaches there are and the more times my card number gets stolen.

    2. timeless

      E.M.H. covered many points about why cash is a bad response.

      Some others:
      * You can lose cash, it can fall out of your wallet/pocket.
      * Someone can give you counterfeit cash, and you can lose that value.
      * Cash has weight and bulk.
      * Getting cash involves a transaction which could be just as dangerous if not more dangerous than a plastic purchase. Debit cards are the riskier means of making transactions whether as cash withdrawals or payments to merchants.
      * Cash doesn’t automatically account for transactions.
      * Cash doesn’t generally reward you for transactions.
      * Cash payments don’t get extended warrantees/insurance.

  9. David

    I used my credit card 1 time at Wendy’s during the breach time period and it was finally compromised a week ago. First time ever it happened to me but once was enough to change me into a cash only person.

  10. Dennis Kavanaugh

    Interesting that a customer called in and triggered the public announcement. So either (1) the customer call was their detection mechanism (scary), or (2) they knew about it already but chose not to tell anyone (scary). Not sure which one is more scary, probably the latter.

  11. Nicole

    I used my debit card at one of the above listed retail sites last weekend. But the POS terminal used was via the chip and pin method, the card was not swiped. Should I be worried?

    1. Vog Bedrog

      No 🙂 That’s the whole point of chip & PIN.

      1. Nicole

        Thank you, Vog! 🙂 Relieved that the particular retailer had the option. Other retailers have the Chip & Pin POS machines, but are not ready for you to use your card into the chip slot. Therefore, as you know, you’d have no other option but to swipe your card, sad face 🙁

    2. Justin

      Hello Nicole,

      No you shouldn’t have to worry if you didn’t swipe your card. Your chip encrypts your card data and presents a new ‘token’ for each transaction so it’s like having a new card number each time. When you swipe your card they steal your Track 1 and Track 2 data which they are then able to encode into another card, but they cannot do this for chips (yet….)

      1. Nicole

        Thank you & Hello, Justin! I fully understand your nice and concise explanation. And yes, I agree with you…(yet). Not anytime soon, we can only hope!

        1. Vog Bedrog

          EMV chips have been around in the wild for 30 years and haven’t been copied yet, if that’s any indication. Also, the standard allows for controls against use of duplicated cards (they can be shut down automatically if transaction counters get out of sync) so even the idea of counterfeit chip cards isn’t concerning.

  12. Mark Rogers

    Wendy’s appears to be a customer of Oracle as well as Kimpton. Datapoint looks like it had integration with MICROS or leveraged it in some way, this may/would tie Cici’s Pizza to them as well. I wonder if cyber insurance covers liability to customers

  13. valerie

    Did this breach effect any machines using the chip technology?

  14. Dale L

    I used my Visa CC at Grease Monkey on the 30th, made a reservation online at Holiday Inn on the 28th. (Haven’t used the card since March at a Wyndham property).
    Then on the 31st there were 3 charges, online order for food and purchases at online retailers.
    I wonder which one of these 3 is the culprit?

    1. Dave

      FYI – both Wyndham and Holiday Inn (IHG) use Opera as their property management system which is also a Micros/Oracle product……so could be either of these as well

  15. Enter your name

    Brian ; anything on the Delta hack that has me sleeping on the nasty carpet of SFO?

      1. Jason R

        Some pilot tweeted it was a hack. I doubt it was – just sounds easy to blame “we were hacked” vs. “we were foolish in our operational setup.” All I have read was that it was a power issue.

        Of course, why would you run such a huge operation without redundant data centers such that you are no tied to one geographical location?

        1. Cash

          Perhaps the volume of transactions prevents such a system from existing in a truly geographically redundant design. As for redundant power & cooling systems, designing that stuff is based on well-known engineering principles.

          I once worked for a company with 2 geographically redundant data centers. They scheduled switchovers between data centers on a very regular basis, partly to enable to code & features, partly to prove the redundancy worked, and it did work very well to the level of 99+% reliable switchovers. The problem they had was keeping the 2 locations “in sync” on time sensitive “real time” data as the volume of data to be exchanged and synced was beyond the ability of any vendor’s system to handle.

          Someone will call “BS” on me, but I can’t reveal the company name, yet you would know the name in an instant and I would lose my retirement benefits just before I was sued for disclosing confidential info.

        2. Joe

          Another pilot said it was a fire in the data center: http://arstechnica.com/business/2016/08/data-center-disaster-disrupts-delta-airlines/
          “According to the flight captain of JFK-SLC this morning, a routine scheduled switch to the backup generator this morning at 2:30am caused a fire that destroyed both the backup and the primary. Firefighters took a while to extinguish the fire. Power is now back up and 400 out of the 500 servers rebooted, still waiting for the last 100 to have the whole system fully functional”

  16. Olive Oil

    I just received a call from my MasetrCard debit card company and they have canceled my card because of a data breach, but would not tell me what company had the data breach. I assume it was Oracle. UGH!!!!!

  17. Joe Mama

    What many people need to understand is that most of the sites using Micros are not hosted by Micros. Many of them have in house servers with Micros workstation at FOH. On top of that most Micros customers have varying credit card processors that in no way go through the Micros host. Most of the hotels are hosted by Micros and yes many Micros customers use Merchant link with the TransactionVault driver to process their credit cards. On average however Micros customers are not linked to the Micros hosted servers in anyway.

    1. Mark Rogers

      “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”…this would imply that where it data is hosted is not necessarily relevant but instead if the hardware or software were supported by MICROS or Oracle, they are at risk

    2. PayChick Behind the Scenes

      You are correct about Merchant Link and the use of ML’s TransactionVault. However, not all ISVs who integrate use TV by default. MICROS, now branded Oracle Payments, isn’t exclusive to ML. While ML does have the largest base of Oracle Payments’ hospitality market, i.e. hotels (many mentioned above), they also have direct connections into payment processors. MICROS also has a semi-integrated solution to remove sensitive card data from the POS itself. So the real questions are: Were these sites using the secure method of integration, who’s front end payment system were they using for processing, were the systems up to date, and who was the nitwit that had weak credentials to allow someone to access their company’s support portal. Not all companies share 1 portal. Because my husband received a new card due to a possible breach and based on the timing of the breach, where we were, and where we used it, I pretty much have narrowed it down to the culprit. But that’s just my opinion; I could be wrong.

  18. Bob

    Oracle purchased Micros to destroy SQL, a major competitor which was and still is being used on most Micros POS Databases. Oracle does not care about the POS side of Micros. They have no new systems for POS sense they purchased the company more than a year ago. That is why they are being hacked today.

    1. Bob

      SQL is not a product of a particular company. SQL is a standards-based query language that is most commonly used to access relational databases. Database vendors can, and usually do, add extensions to the language. Oracle calls their version, PL-SQL. Microsoft calls their version Transact SQL.
      Having said that, there is no doubt that one of Oracle’s goals is to dominate the database market.

  19. vb

    Given the cost of a POS data breach, both actual and customer goodwill costs, I have to believe that those merchants are not going to be very forgiving if Oracle is determined to be the source of their breaches. My prediction is that this may be headed to court.

    Statements like “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.” may not stand up to in court. Allowing the payment card data be stolen from RAM makes a mockery of that statement.

  20. brb

    Something to keep in mind about cc security. Many global companies that have sufficient security (e.g. tokenization) – that may only apply to north america. Outside north america, it’s not uncommon for it to be terrible. Wouldn’t be surprised if this occurred in the Micros Frankfurt facility.

  21. Makes sense

    This makes sense now – I had two cards compromised within a few days. Never used both at the same place, and too much a coincidence.

  22. Cash

    Stuff like this simply reinforces my desire to pay for stuff in cash whenever possible and reasonable.

    1. Robert.Walter

      Because calling to have fraudulent pending charges cancelled and a new card issued is so difficult?

  23. netmarine

    I am a former employee of the Oracle Retail division, post Micros acquisition. I’ve worked on most of the Micros retail assets including their POS.
    A data breach within the Oracle network will have zero impact on any Micros customers POS application. Why? Because every Micros POS customer owns it outright from the perspective of hosting it on premises. Said differently, Oracle/Micros do not and cannot host a Retailers POS application within the Oracle/Micros network.
    The way Micros POS is sold is the retailer purchases X number of licenses for Micros POS. The retailer hires a third party implementation partner to customize and deploy the Micros POS application on the retailer owned computing systems (cash registers/terminals/mobile devices). The Retailer is subject to PCI audits. Most Micros POS customers are not major retail brands. The Micros POS application is not capable of scaling up to the size of a Walmart, Home Depot, Gap, Limited Brands etc… retailer with more than a few hundred brick and mortar locations.
    The irony here to me, is that Oracle paid 5+ billion for Micros. Micros at the time had some 24 or more POS applications among its assets. The one vetted for the N. American market is called XStore. XStore replaced the former 360Commerce POS application Oracle purchased in 2007. The 360Commerce POS application was officially removed from new license sales in 2015. It so far, knock on wood, has never been breached. The 360Commerce POS application was or is still currently used by almost every Tier 1 and above retailer with the notable exceptions of Walmart, Target, Macy’s and TJX.
    Target was going to purchase the 360Commerce POS application in 2006 but backed out when Oracle announced it was acquiring 360Commerce due to some prior animosity between Target and Oracle.
    All that aside, Oracle is obviously being extra cautious by requesting Micros customers reset their passwords for the Micros support portal. The media in it’s infinite need for attention, I’m thinking of the Simpsons episode about advertisers, must exploit the opportunity to cry the sky is falling and imply that any customer who’s ever swiped a credit card on a Micros branded terminal is going to have their CC data sold to some slim shady on the dark web because this particular Russian cyber crime syndicate is involved. I guarantee the Carbanak gang has learned that there is no direct connection between Oracle and any of it’s Micros customers POS applications. Oracle doesn’t provided direct level 1, 2, 3 or 4 or even 5 if there were such a thing, support to it’s customers and therefore will never have direct access to a customers POS terminal.

    1. BrianKrebs Post author

      Thanks for weighing in, but if what you stated is true, what’s this that Oracle says about changing the credentials? It would seem to fly in the face of what you’re trying to say, which is Oracle can’t touch on-premises systems. Quote:

      “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”

    2. Dan

      Netmarine, Can you also explain why many of the companies pictured in this article have had their systems compromised and answer Brian’s question? Just a coincidence? I don’t think so. The intel the hackers gathered would have been priceless.

  24. Ron G

    The Carbanak Crew rises again. As long as Putin keeps on getting his cut, these guys will never be apprehended.

    Unfortunately, *we* (the U.S.) set the new ground rules when we released Stuxnet, and now it’s “anything goes”, in love, war, and the Internet. (We may come to regret this as we have more to lose than they do.)

    Regarding cash versus credit, I decided about 3 days ago that I’m never using the card again except in those rare circumstances where I have to. I mean this stuff is just getting ridiculous now. Thanks to Brian, we all now know that big batches of cards are being hacked, regularly, with notable and sizable breaches now occuring a couple of times a week.

    The credit card industry has a large and growing PR problem. But rather than confront it publically, they are following the Abraham Lincoln playbook: You can fool all of the people some of the time, and some of the people all of the time… (I mean what the hell? So far it has kinda sorta worked for Trump!) But in the long run, I believe that this is going to end badly for the card companies. They and their multiple levels of partners have screwed up so badly, so many times and in so many different ways. I mean people are stupid, but they’re not THAT stupid. Eventually people are gonna wise up, realize that all this “convenience” they’ve been sold on comes at a great cost in security, and when folks start just simply not using cards, en mass, the worm will have turned, and it will be too late to gain back the lost trust.

  25. goodok apple

    If debit or credit fraud then financial institutions will reinburse 100% all the loss so no problem! You as customer need to keep your info dont surf porn sites dont download after you cry and complain here

    1. somguy

      Not true, check your specific account for policies.
      Some credit cards say they have a $50 liability for fraud for instance (which they are allowed to under the law). That means NOT a 100%

  26. Trish K

    We have been hacked 4 times in the last 2 1/2 years, 3 times on the CC and once on the debit/cc ( which wiped out that account, both savings and checking). We have tracked that each time and my husband had used the fitness center at the Ohare Hilton prior to the hack. Each time he paid via cc and once our debit cc. They are finally investigating this, but how interesting the last hack was this past Saturday and the last time he used is cc was there and 6 days prior. Their security told me it is a POS system with camera’s everywhere, and that someone using a reader would be difficult and almost impossible, well maybe now they might figure out the issue. We have always gotten our money back or not been charge for the fraudulent transactions, but what a hassle, cards are shut down, new ones issued etc. New rule anything under 50.00 pay cash, we do have a travel card for international atms with just enough money for each trip, but hotels are a different story, you need a credit card for all of the pre authorizations and when you are traveling for 3-5 days it adds up.
    Moral of the story: have alerts set up on all cars, debit or credit, any withdraws, swipes, charges I get a notice on my phone, if I do not recognize it and it is not froma place my husband is traveling, I call the bank. Be your own watch dog, a thief is a thief and it is easier for them than a real job, and it is only going to get worse not better.

  27. nkj

    If you leave house you leave door unlocked??? Offcourse not ?? So if not carefuly dont cry!!

Comments are closed.