BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Restaurants Sue Vendor for Unsecured Card Processor

From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Dec 2009 10:03:10 +0000 (UTC)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.wired.com/threatlevel/2009/11/pos/

By Kim Zetter
Threat Level
Wired.com
November 30, 2009

Seven restaurants have sued the maker of a bank card-processing system for 
failing to secure the product from a Romanian hacker who breached their 
systems.

The restaurants, located in Louisiana and Mississippi, have filed a 
class-action suit against Georgia-based Radiant Systems for producing a 
point-of-sale (POS) system that they say was not compliant with payment 
card industry security standards and resulted in an undetermined number of 
customers having their debit and credit card numbers stolen.

The suit alleges that the system stored all of the data embedded on the 
bank card magnetic stripe after the transaction was completed -- a 
violation of industry security standards that made the systems a high-risk 
target for hackers.

Also named in the suit is Computer World, a Louisiana-based retailer, 
which sold and maintained Radiant's Aloha POS system.

According to plaintiffs, Computer World's technicians allegedly installed 
the remote-access program PCAnywhere on the systems to allow its 
technicians to fix technical problems from off-site. The only problem is, 
the company failed to secure the program. The suit alleges that the system 
was not up to date with software patches, and the PCAnywhere remote log-in 
and password that technicians used to access the POS systems was the same 
at every one of the 200 Louisiana locations where the system was 
installed. According to one of the plaintiffs who spoke with Threat Level, 
the default login was "administrator" and the password was "computer."

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: