Foodies sue providers of hacked payment system
Breaches R Us
Customer Success Testimonial: Recovery is Everything
A group of restaurants is demanding millions of dollars in damages from two companies accused of selling point-of-sale terminals that exposed customer data to criminal hackers.
In a complaint filed in Louisiana state court, the restaurants claim the Aloha POS software manufactured by Georgia-based Radiant Systems failed to comply with the Payment Card Industry Data Security Standard. The lawsuit also names Louisiana-based Computer World, the exclusive provider of the Aloha POS software in the south central part of that state.
"We're saying that Radiant breached its obligation to sell software that was compliant with PCI industry standards and that it stored full magnetic data" on hard drives, in breach of those regulations, Al J. Robert Jr., one of the attorneys representing the restaurants, told The Register. "We're just trying to make our clients whole."
According to the eight-page complaint, which was filed in March, Visa USA in April 2007 identified the Aloha POS to be in violation of PCI standards because it stored prohibited data - such as card verification data and personal identification numbers - after transactions were completed. Around the same time, Radiant was advertising the software was PCI compliant.
About a year later, the restaurants learned from local law enforcement officials of a "potential compromise of customer credit card information." An investigation ultimately revealed that their systems were infected with keyloggers, the complaint states.
The restaurants were forced to pay the costs of cleaning up their systems and fines levied by credit card companies for failing to comply with the PCI standards, according to the lawsuit.
According to a press release distributed last month, the POS terminals failed to meet other PCI provisions. Not only did Computer World's remote access system lack adequate patches, it also used the same password for at least 200 operators.
A statement issued by Radiant said the company doesn't comment on pending litigtion. "What we can say is that Radiant takes data security very seriously, and that our products are among the most secure in the industry," it continued. "We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves."
Computer World representatives didn't respond to a request to comment for this article.
The judge hearing the case recently ruled that the suit can be pursued collectively by affected businesses, a decision that may prompt more plaintiffs to come forward, said Charles Y. Hoff, an attorney for the Georgia Restaurant Association.
The suit was filed in the 15th Judicial District Court in Louisiana's Lafayette Parish. More from Wired.com is here. ®
This article was updated to add comment from Radient.
COMMENTS
As acronyms go
the one for Point of Sale is really unfortunate, particularly in cases like this.
Call the card companies...
The PCI compliance program is very stringent. If someone is not compliant they mat lose their ability to process that particular brand of card (MasterCard, Visa, etc.). I didn't bother looking for any kind of contact information but I'm sure there is a way you could report these issues to the card companies anonymously. I work in a retail company now but used to work in a hospital for many years. The staff here gets just as anxious about PCI audits as hospital staff used to be about HIPAA compliance. I mean even the software industry has the BSA. I'm sure the card companies would be interested in hearing these stories because the fraud obviously costs them and their business partners money.
Missed point, or paranoid ramblings? ..unless you are much smarter than everyone I know (of)
I ask of you, how would you propose a card/chip based transaction that does not include every detail needed to verify it?
The trick to this, and where Aloha fell down, was that the credentials are stored very temporarily in volatile memory. The processing company stores the credentials somewhat more permanently (in a queue) but still with a TTL measured in minutes to fractional hours, and behind a much more robust security system, usually with encryption.
I'm not sure where you got the idea of backups of full creds from, at most the backups are of a summarized, redacted set to ID the transaction, but not enough to duplicate the transaction, or create another one. Other than you (on the card/chip) the PoS terminal, the processing co., and the bank, no-one else has full credentials. The accountants, revenue service, back-ups, et al., get something like "<amnount> charged to <CC company (Visa/MC/etc.)> number xxxx-xxxx-xxxx-<last four> by <merchant> on <date>" not a lot that can be done with that.
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Customer Success Testimonial: Recovery is Everything
