Oracle Corp. confirmed to Krebs on Security that some of its systems—including a customer portal supporting merchants using Oracle's Micros point-of-sale payment system—have been breached, allegedly by a well-known group of Russian criminal hackers.
A Gartner analyst believes the attack may be linked to POS hacks and incidents of stolen payment card data that have occurred at retailers, restaurants and other merchant locations in recent months. Oracle is instructing merchant customers to change their log-in passwords for the portal.
Oracle acquired the Micros technology two years ago for $5.3 billion, and the POS terminals are used at about 330,000 locations in 180 countries, putting them among the three most widely used POS systems in the world.
Though this was not a direct hack of a retailer, it certainly takes one back to the devastating security attacks suffered by retailers such as Target and Home Depot. It's also a reminder at a time when retail is in hackers' sights more than ever before that an attack doesn't have to target a retailer specifically in order to threaten to retailers and their customers.
And by the way, we may not know the full extent of the attack and its implications yet. What may be most startling is that Oracle at this point seems to know quite little about the attack—how and when it happened, for how long it went on, and to what extent merchant data may have been accessed.
Oracle is reassuring its customers that transactions are encrypted, but the real fear is that if hackers accessed credentials allowing them to remotely access in-store POS equipment, they might be able to install malware capable of collecting customer card data. Already, there's an open question—and no answers as of yet—as to whether information accessed in the Micros hack already has been used to attack merchant POS systems.
Is your sense of déjà vu about previous large-scale data breaches suddenly growing more acute?
The retail industry is going to hope it doesn't hear much more about this one until Oracle comes back with a post mortem based on its ongoing investigation, but this initial incident itself should be enough to force retailers and their suppliers and partners to take a much closer look at how security is implemented and managed throughout every inch of their ecosystem. The best attitude to have is that if there is a gap in security, and you don't find it, someone else will.