NEXTEP Systems, a Troy, Michigan-based point-of-sale vendor for restaurants, corporate cafeterias, casinos, airports among a variety of other venues was recently notified by federal law enforcement that some of its customers locations had been compromised in a potentially wide-scale credit card breach.
Several financial institutions traced a string of fraud on credit cards all recently used by one of NEXTEP’s largest customers, Zoup. The food chain has 75 soup eateries that are spread across the northern half of the United States and Canada.
Acknowledging the breach, last week KrebsonSecurity reached out to Zoup, shortly after hearing of the string of fraud indicating some form of a card breach at any number of Zoup locations. Zoup CEO, Eric Ersher said that NEXTEP had recently informed them of a possible security issue within its point-of-sale devices. Ersher said Zoup runs NEXTEP point-of-sale devices throughout all of its some 75 locations.
While questioning NEXTEP on the breach, NEXTEP President Tomy Woycik, emphasized the company does not believe all customers were impacted by the possible security issue.
“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” Woycik wrote in an emailed statement. “NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue. We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed. This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”
A breach at a point-of-sale vendor can be severe, possibly impacted a large number of organizations as has happened in the past. Just last year a pattern of credit card fraud appeared at a sandwich shop across the nation due to a security vulnerability cybercriminals were able to exploit within the physical point-of-sale machine. That specific breach later resulted in 100 other restaurants using the point-of-sale system to be impacted.
Just earlier this year, another point-of-sale vendor, Advanced Restaurant Management Applications (ARMA) disclosed that an attack induced by malware on their point-of-sale systems resulted in several of its clients credit and debit card numbers being exposed.
Another breach last year on a point-of-sale vendor lasted 18 months, resulting in the breach of 330 Goodwill locations worldwide.
It’s unclear what the possibly NEXTEP breach may hold, but it presumably involved amass of stolen card numbers hijacked from any number of point-of-sale devices.
With point-of-sale malware, cybercriminals are able remotely steal credit and debit card numbers or swipe data from infected point-of-sale machines. Stolen cards are then sold on the underground for anywhere between $20 to $100 per card depending on the card type and its limitations. Criminals can also buy encoded card data, allowing them to re-encode faulty plastic cards with the magnetic strip data to then make counterfeit purchases at big box retailers.
KrebsonSecurity believes it is likely more point-of-sale vendor breaches will be announced in the coming weeks. Bringing details that they are currently in the process of tracking down a common thread behind what appears to be breached point-of-sale vendors tied to three different major cities around the nation.