Oracle Retail Systems Division Suffers Breach

Oracle cloud biplane aircraft © Anatoliy Lukich Shutterstock

The attack affected servers at Oracle’s MICROS retail division and may also have allowed access to point-of-sale systems

Oracle has confirmed MICROS, its point-of-sale subsidiary, has been affected by a computer attack that reportedly involves Carbanak, a Russian criminal group linked to large-scale thefts from banks, retailers and hotel chains.

Oracle said in a statement it has “detected and addressed malicious code in certain legacy MICROS systems” and said it is requesting all MICROS customers to reset the passwords they use to log into the MICROS online support portal.

Top vendor

data breachMICROS is one of the top three global vendors of the point-of-sale systems used to process card payments, and says its systems are used at more than 330,000 cash registers around the world. Its customers include well-known retailers, hotels and food and beverage outlets.

The details of the attack haven’t been disclosed, but more than 700 internal systems at Oracle’s retail division were affected, according to a report by security journalist Brian Krebs that cited unnamed people familiar with the investigation.

The breach is thought to have begun with a single infected system inside of Oracle’s network that was used to gain access to other internal systems, including a customer portal used to help MICROS customers remotely troubleshoot problems with point-of-sale systems, according to the report.

Malicious code was found on the MICROS support portal that allowed the attackers to steal customer usernames and passwords when users logged in, the report’s sources said.

Carbanak link

Systems on that portal were found to be communicating with a server linked to Carbanak, suggesting the gang’s involvement, according to unnamed security experts cited in the report. The breach investigation appears to have begun in mid-July, Krebs said.

In a letter quoted in the report, Oracle advised MICROS customers to change the passwords used for their support accounts and those used by MICROS representatives to access on-premises systems.

Oracle said its corporate network and its other offerings were not affected by the breach, and said MICROS payment card data is encrypted.

The company’s letter to MICROS customers suggest that the compromised credentials could potentially be used to remotely access and implant card-stealing code on some customer point-of-sale systems, Krebs pointed out.

If so, and if the Carbanak gang was indeed involved, it seems unlikely the group would pass up a chance to exploit that access, he argued.

A MICROS customer quoted in the report said, however, that the password reset had been requested “out of abundance of caution”, saying the company had told customers only Oracle staff were affected.

Most of the large credit card breaches over the past two years, including those affecting Target and Home Depot, have been effected by malware placed on point-of-sale devices, usually installed via hacked remote administration tools, security experts have said.

Such code allows attackers to remotely capture data from each card swiped at the cash register, which can then be sold to criminals who manufacture counterfeit cards using the data and use the cards to make purchases or cash withdrawals.

Oracle declined to offer further comment.

Are you a security pro? Try our quiz!