Verifone downplays impact of recent breach

Payment processing giant Verifone is playing down the impact of a recently discovered breach on its internal computer networks, as well as concerns over wider problems against point-of-sale systems.

Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted beyond attempted attacks on PoS systems at a handful of gas station convenience stores. News of the breach was uncovered by cybercrime sleuth Brian Krebs, who reproduces a copy of an internal memo from January urging staff to change up their passwords as a precaution following the suspected breach.

In response to queries from El Reg, Verifone supplied a detailed statement saying that the minor security flap had been quickly contained.

According to third-party forensic teams, this cyber attempt was limited to approximately two dozen U.S. gas station convenience stores and occurred over a short time period. No other merchants were targeted and the integrity of our payment networks and Verifone’s payment terminals remained secure and fully operational.

Verifone’s information security team identified evidence of this very limited cyber intrusion into our corporate network in January 2017, and we proactively notified Visa, MasterCard and other card schemes.

In concert with our partners, Verifone immediately implemented additional security controls across its corporate networks and began work to determine the type of information that may have been targeted.

It is also worth noting that there have been no adverse events or misuse of any data resulting from this incident. Verifone, partner agencies, and law enforcement remain vigilant and will continue to monitor for this.

We believe that our immediate response and coordination with partners and agencies has made the potential for misuse of information extremely limited.

Brian Vecci, technical evangelist at Varonis, commented: “Unlike Target where a contractor's credentials were used to compromise POS system, in this case the PoS provider itself was compromised. With the prevalence of SaaS providers of all types replacing many in-house systems, organisations have to be more vigilant about what data they provide to their partners and how that data is secured."

Itsik Mantin, director of security research at Imperva, added: “Little information is available about the incident, but despite [the] Verifone clearing siren for the payment system remaining intact, there are many ways an infection can propagate from the enterprise network to the payment system." ®