Point-of-sale vendor NEXTEP SYSTEMS confirmed it was notified by law enforcement that the security of some of its systems at customer locations may have been compromised.
“NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue,” Tommy Woycik, president of NEXTEP SYSTEMS, said in an emailed statement. “We do know that this is not affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed. This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working to ensure a complete resolution.”
Security blogger Brian Krebs reported that sources in the financial industry observed a pattern of fraud activity involving payment cards used at Zoup!, a restaurant franchise with locations around the country. Zoup! referred Krebs to NEXTEP SYSTEMS, with Zoup! CEO Eric Ersher reportedly stating that NEXTEP SYSTEMS had recently been notified of a problem with its PoS devices.
If the breach is at NEXTEP SYSTEMS, it will not be the first point-of-sale (PoS) vendor to have been targeted by hackers. Last year, Charge Anywhere disclosed it was impacted by an attack that may have compromised data going back as far as 2009. In other case, PoS vendor Signature Systems acknowledged it had been victimized by an attacker who gained access to a username and password the company used to access PoS systems remotely.
“Many traits of the typical restaurant chain’s payment ecosystem are inherently vulnerable to data breaches,” said George Rice, senior director of payments at HP Security Voltage. “Frequently, restaurant franchisees are often given the flexibility of managing their own POS systems, which makes brand-wide payment security a big challenge.”
In an unrelated breach, health food chain Natural Grocers confirmed last week that payment card data was indeed compromised in an attack. However, the company stressed there is no evidence any PIN information or card security code numbers were compromised. In addition the company said it is in the process of upgrading PoS systems at all 93 of its stores.