Beware of Cybercriminals

“I didn’t know that people would come here, in West Haven, one of the best car washes in West Haven, to [steal credit card information], so it was very surprising.”
This was the statement made by Splash Car Wash CEO Mark Curtis, following a data breach in which cybercriminals gained entry to their POS network and stole credit card information, a la the Target and other retailer data breaches.
To be honest, I think most readers will share this sentiment.  I know I did.  And I know that many customers I speak with would as well.   A local (ie. within the state) car wash?  Targeted by Cybercriminals?  Really?  Yup.
In this case, to summarize, it is believed that Cybercriminals:
• leveraged Symantec’s pcAnywhere to access PoS devices (either leveraging default passwords or software vulnerabilities)
• installed malware to skim credit card info from 1400 customers over a 3 month period
• leveraged that information to purchase gift cards in small ($100) amounts
What’s particularly interesting to me, beyond the fundamental fact that a local car wash chain would be targeted, is that there was early speculation in the case of the Target Data breach earlier this year that access to POS systems had been gained via BMC systems management tools.  Perhaps this is a common method of access by cybercriminals- systems management tools with default passwords.  Either way, it would suggest that retailers of all sizes ensure that they have proper identity and access management policies, procedures and even technology in place; to at least ensure default passwords are changed and ideally require two-factor authentication.

Cybersecurity market research: Top 15 statistics for 2017