POS firm says hackers planted malware on customer networks

Nearly 140 bars, restaurants, and coffee shops all over the US have had POS systems infected with malware.

Data breach leaves hundreds of POS units infected with malware Nearly 140 bars, restaurants, and coffee shops all over the US have had POS systems infected with malware.

North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale (POS) products, announced a security breach last week. The company said hackers compromised its IT system and later planted POS malware on the network of some of its customers.

The breach occurred on January 3, 2019, according to NCBP. The company said it detected suspicious activity on its network on the second day and started an investigation with the help of a third-party forensic investigator.

The investigation confirmed the breach on January 30, but according to NCBP, the attacker also appears to have detected investigators probing around, and ceased all activity on January 24.

NCBP has now published a list of 139 locations that the attacker compromised and deployed POS malware on their POS networks. All are either bars, coffee shops, or restaurants, with some being standalone businesses, while others are franchises located in various hotel chains.

Most businesses have one or two locations listed, but three have multiple shops listed as infected. Dunn Brothers Coffee is listed with 66 locations, Zipps Sports Grill with nine, and Someburros with seven.

The malware hasn't been active on the networks of all businesses and locations at the same time, in some cases being active for only one or two days.

The reasons why some infection intervals were shorter in some cases might be related to the security measures deployed at each location, such as security software or encrypted local traffic.

NCBP is still investigating the nature of the security breach and has yet to determine how each business has been impacted. The POS vendor has sent a letter to all affected companies inquiring if any had the "encryption capability" on its POS systems enabled "as that should have prevented the malware from becoming operational."

The malware --which was not named in NCBP's breach notice-- could harvest cardholder name, credit card number, expiration date, and CVV, the company said.

"To date, NCBP has not received any reports of actual or attempted misuse of this information," it said.

NCBP is offering information on its website's frontpage for potentially affected customers. [Please be advised that the list of locations where the malware was active contains 137 entries on the NCBP website. For the full 139 entries, please consult this document here.]

NCBP POS systems are installed at over 6,500 locations, meaning the breach impacted only 2 percent of the POS firm's customerbase.

A similar incident to what happened to NCBP happened to another POS vendor in 2018. Coffee shop chain Caribou Coffee said that 239 of its locations had their POS systems infected with malware after a breach at its POS vendor. The name of the vendor has yet to be revealed.

More data breach coverage: