POS Provider Warns of Card Breach at Restaurants in 15 States

Bemidji, Minn.-based North Country Business Products announced a data security incident possibly led to unauthorized payment information access of some consumers using credit and debit cards at 135 business partner restaurants.

North Country, a provider of point-of-sale systems, in a Notice of Data Security Incident indicated the incident may have affected card users mostly in Arizona and Minnesota, but also in California, Colorado, Iowa, Louisiana, Michigan, Missouri, North Dakota, Ohio, Oregon, South Dakota, Tennessee, Texas and Wisconsin. Specific information possibly exposed included the cardholder’s name, credit card number, expiration date, and CVV.

In a statement, North Country described what took place: “On January 4, 2019, North Country learned of suspicious activity occurring within certain client networks. North Country immediately launched an investigation, working with third-party forensic investigators to determine the nature and scope of the event. On January 30, 2019, the investigation determined that an unauthorized party was able to deploy malware to a certain number of North Country’s business partners restaurants between January 3, 2019, and January 24, 2019, that collected credit and debit card information.”

North Country also said it takes this incident and the security of our customers’ information very seriously. The company updated processes to further strengthen its systems to protect its business partners’ customer debit or credit card information and will continue to work with third-party experts to help ensure the highest levels of security.

As with all data breaches and/or events affecting payments the risk extends to credit unions and other financial institutions that issue credit and debit cards.

Especially since point-of-sale intrusions continue to be a favorite attack vector for cybercriminals, as suggested by Kevin Watson, CEO of Netsurion, a St. Louis-based managed security services provider for multi-location businesses. “Small merchants are typically soft targets with underwhelming cybersecurity controls in place. POS hackers are able to scale their operations by attacking the POS vendor serving thousands of merchants, rather than the merchants themselves.”

Watson noted this is the latest example of that strategy being carried out successfully. Merchants and POS vendors alike need to implement advanced threat protection beyond firewall and antivirus to stand a chance. “Fortunately, such solutions that were once only practical for large enterprises like security information and event management, and endpoint detection and response are now available as managed services designed for the small and mid-sized business.”

Jonathan Deveaux, head of enterprise data protection at comforte AG, commented, as well. “Companies who process card payments still are not doing enough to protect data. It is mind-blowing that companies are still exposed to this type of threat. Maybe they believe ‘no one would want to steal our data – we are not a target.’” Deveaux added, “Sure, places like Dunn Brothers Coffee in Nashville, Zipps Sports Grill of Phoenix, and Tacos Trompo of Fargo, are not seen as places where a bad actor would target specifically. But each of those places worked with a partner whose network was compromised. Companies need to realize they are targets no matter where they are because the data they have is valuable.”

For consumers, going back to cash-only transactions isn’t realistic, Deveaux pointed out. “Neither is experiencing a data breach or data exposure incident, which has already happened in the same manner as other organizations. Companies need to do something more effective than they are doing today and focus on solutions that actually reduce the potential of a breach, or minimize the effect of one.”