Natural Grocers is investigating a breach impacting customer payment card data.
The incident has been contained, and the company said law enforcement is investigating the matter. So far, Natural Grocers has not received any reports of fraudulent use of customer information, and there is no evidence any PIN numbers or card verification codes were accessed. In addition, the company said no personally-identifiable information such as names, addresses or social security numbers was compromised as the company does not collect that type of information as part of its payment processing system.
“While its investigation is ongoing, Natural Grocers has accelerated pre-existing plans to upgrade the point-of-sale system in all of its store locations with a new PCI-compliant system that includes point-to-point encryption and new pin pads that accept “chip and PIN” cards,” the company said in a statement. “These upgrades provide multiple layers of protection for cardholder data. The company is in the process of installing this new system at all 93 Natural Grocers stores in 15 states.”
According to security blogger Brian Krebs, the attackers broke into Natural Grocers just before Christmas by attacking vulnerable database servers. From there, they were reportedly able to pivot around the network and infect the PoS systems.
“The movement of the attackers laterally within the internal network underscores a reality of modern networks: attacks are automated, patient, multi-step, and multi-phase,” said Steve Hultquist, chief evangelist at RedSeal. “Attackers probe for weaknesses, then use each weakness to dig further into the network, uncovering more weaknesses and further value each step.”
“Malware such as BlackPoS requires a bit of strategic planning on the part of the adversary; much of the system lacks the point-and-click intuitive nature of commodity botnets,” Crowdstrike noted in its recent Global Threat Intel Report. “For less-organized or less-skilled adversary groups, an off-the-shelf kit such as Dexter PoS may allow for exploitation and offensive capabilities that may not otherwise be possible.”
“The large majority of company transactions are processed through everyday applications…and hackers know that their actions are often hidden in the large volume of data generated through normal user activities— making it an ideal hacking target,” said Matt Zanderigo, product marketing manager at ObserveIT. “By knowing that their activities won’t raise alarms, the end result is that these companies only find out a breach has occurred when bank investigators see large batches of card numbers go up for sale on the black market.”