US parking operator: YEP, hackers got your names, credit card numbers, secret codes...
DOH! Card expiration dates too
Point-of-Sale systems have been hacked at major US parking garage operator SP+.
The breach has resulted in the exposure of customer financial information, SP+ explained at an advisory on Friday. SP+ said it had learned of the breach from the firm that handles its payment card processing.
The firm operates about 4,200 parking facilities in hundreds of cities across North America but the breach is localised to 17 SP+ parking facilities, mostly in Chicago. Other parking garages in Philadelphia, Seattle and Cleveland have also been affected. The parking firm's advisory (extract below) warns that the payment information of an as-yet unknown number of customers who used plastic to pay for parking at the affected garages - information which included the cardholder's name, card number, expiration date, and verification code - had been stolen.
On November 3, 2014, SP+, a professional parking facility service provider, received a notice from the company that provides and maintains the payment card systems in some of its parking facilities that an unauthorised person used that company’s remote access tool to connect to computers that process payment cards in a limited number of those facilities. Upon learning this, SP+ immediately launched an investigation and engaged a leading computer forensic firm to examine the payment systems in the parking facilities.
The unauthorised person used the remote access tool to install malware that searched for payment card data that was being routed through the computers that accept payments made at the parking facilities. While SP+ was conducting this investigation, it identified one additional facility where card data was at risk. The information from payment cards that may have been captured by the malware is the cardholder’s name, card number, expiration date, and verification code.
This incident affected 17 SP+ parking facilities. Though SP+ does not have sufficient information to identify whether any specific cards were taken or to mail notification letters to the potentially affected cardholders, SP+ wanted to let its customers know about this incident as soon as it could.
The security flap follows a plethora of Point-of-Sale system breaches in the US this year affecting Home Depot, Subway sandwich restaurants, KMart, and more.
“[The] announcement by parking garage operator SP+ should warn every organisation that accepts credit card payments that they are an active target," said Steve Hultquist, chief evangelist at network visibility vendor RedSeal.
"Every organisation must understand the current avenues used to attack payment systems, but must also go beyond that knowledge to completely analyse their entire infrastructure to be certain that it is configured as intended, that security zones are properly configured and enforced, all network devices are hardened against potential attack, any network-accessible vulnerabilities are prioritised first for patching, and generally continuously audit the entire infrastructure to discover any violations of the security architecture before it can be exploited,” he added.
Additional security commentary on the incident by Lisa Vaas on Sophos's Naked Security blog can be found here. ®