Consumerist reports that Oracle admitted the serious breach in a letter to its customers. It acquired MICROS two years ago for a reported $5 billion, purchasing the rights to produce and market its popular point-of-sale terminals.
MICROS systems power over 330,000 terminal systems in stores spread across 180 countries. They are used in stores ranging from small trading operations to retail giants like Hilton, Marriott, Starbucks and IKEA. The hack is significant as it could affect thousands of companies and their customers in locations all over the world.
Much remains unknown about the nature of the attack. Oracle hasn’t confirmed when or how the hackers obtained access to its systems. The size and scope is still under investigation, according to security researcher Brian Krebs who was the first to report on the intrusion.
Krebs said the group behind the breach was “organized” and Russian. According to sources “close to” Oracle’s internal investigation, the company initially believed only a handful of computers and servers within its retail division to be affected. As new security tools were deployed to its network, the true extent of the attack became clear. At least 700 systems are now known to have been impacted.
In a letter to customers, seen by Consumerist, Oracle instructed all MICROS users to change their passwords for every MICROS service. “Oracle Security has detected and addressed malicious code in certain legacy MICROS systems,” the company explained.
The attackers are thought to have entered the systems through Oracle’s support portal. According to Krebs, Oracle became aware of the incident when its security staff noticed the MICROS customer support server communicating with a server known to be used by the Carbanak Gang. The gang is a Russian cybercrime group thought to have stolen over $1 billion from retail groups and banks over the past few years.
Once fully installed on the network, the malware allowed the attackers to steal MICROS customer usernames and passwords. There are now fears that these stolen credentials could be used to remotely compromise point-of-sale payment terminals within customer stores. The attackers could upload card-stealing malware to these machines, emptying bank accounts to bolster their own wallets.
This could explain a string of recent retail hacks involving point-of-sale terminals in shops, hotels and outlet stores within the past few months. One analyst told Fortune “it’s very likely” that the Carbanak Gang are behind these thefts, using the malware inserted into Oracle’s systems to infect the payment terminals.
Krebs points out that Oracle’s own statement concerning the breach appears to admit that customer point-of-sale systems could have been infected. While it reassured customers that all transactions are encrypted, it also seems to be saying that on-premises devices are the most at risk due to the attack.
Oracle is continuing to investigate the breach and is willing to assist customers seeking support in the wake of the attack. It is preparing to send a statement to every MICROS user informing them of the events.
Every customer will find their support portal password has been forcefully reset by Oracle. All other MICROS passwords should also be reset, preventing the attackers using any stolen credentials to load card-skimming malware onto store payment terminals.
