Connect with us

Hi, what are you looking for?


Incident Response

Verifone Investigating ‘Limited Cyber Intrusion’

Verifone is investigating a breach that it has described as “a limited cyber intrusion” into its corporate network.” It believes that “that due to our immediate response, the potential for misuse of information is limited.”

Verifone is investigating a breach that it has described as “a limited cyber intrusion” into its corporate network.” It believes that “that due to our immediate response, the potential for misuse of information is limited.”

KrebsOnSecurity has published an internal memo dated Jan. 23 sent to all Verifone staff and contractors. It says the payment solutions firm is currently investigating an IT control matter, and asks everyone to change their employee passwords within 24 hours. It also states that employees will no longer be able load new software onto their company desktop and laptop computers; that is, local admin privileges are being removed.

These two actions are typical responses to an actual or likely breach — although many security professionals will be surprised that staff still had local admin status. The memo was sent by Steve Horan, Verifone’s CIO, rather than CISO David Galas. At this time, the Krebs report is the sole source of information on the breach.

A Verifone spokesperson told Krebs, “In January 2017, Verifone’s information security team saw evidence of a limited cyber intrusion into our corporate network. Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.” At that time he declined to give any further information.

However, a ‘source’ told Krebs that the internal memo was in response to warnings from Visa and Mastercard. Historically, many breaches are discovered not by organizations themselves, but by banks and financial institutions detecting suspect patterns in account usage. If this is what happened, and the ‘limited incursion’ is related to the Visa and Mastercard alerts, then the implication is that the breach was more extensive than Verifone is currently claiming.

However, Krebs’ source (who seems to have deep inside knowledge of the breach) goes further, claiming that Mastercard and Visa suggested that “the intruders appeared to have been inside of Verifone’s network since mid-2016.” He also told Krebs “there is ample evidence the attackers used some of the same toolsets and infrastructure as the cybercrime gang that last year is thought to have hacked into Oracle’s MICROS division.”

If this is true, although it cannot currently be verified, then the finger points at the gang usually known as Carbanak or Anunak. In February 2015, Kaspersky Lab described this gang as a group of cybercriminals from Russia, Ukraine and other parts of Europe and China.

Advertisement. Scroll to continue reading.

Given that the Verifone memo locks down endpoints and changes passwords, it seems likely that the initial intrusion has been traced to an employee device. Statistically, it would be a reasonable assumption that someone fell for a phishing attack and installed malware; but that is just another assumption at this point. However, if Krebs’ source is correct, then the attackers had been inside Verifone for at least six months before this remedial action was taken.

Six months gives attackers ample time to perform lateral movement. This would be hindered by effective network segmentation within Verifone. It seems that this might be the case. The Verifone spokesperson described it as a limited incursion. Krebs’ source only mentions one affected area of Verifone: “A customer support unit based in Clearwater, Fla. that provides comprehensive payment solutions specifically to gas and petrol stations throughout the United States – including, pay-at-the-pump credit card processing; physical cash registers inside the fuel station store; customer loyalty programs; and remote technical support.”

This now seems to have been confirmed by Verifone. Following Krebs’ initial report it issued an update to its original statement. “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

On the surface, it appears that Verifone has indeed experienced a breach, but the effects were limited and have been contained. Nevertheless, we will need to await further developments before this is independently confirmed. Six months remains a lengthy period to have attackers as advanced and experienced as Carbanak inside your networks; and it remains a possibility that they may have moved laterally to other parts of the Verifone network.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.