NEXTEP Systems, based in Troy, Michigan, is a leading provider of point-of-sale solutions for restaurants, casinos, airports, and various other food service venues. According to Krebsonsecurity, Law enforcement recently notified the vendor of a potential breach wherein some of its customer locations have been compromised.
Zoup, one of NEXTEP’s largest customers and a chain of approximately 75 soup eateries across Canada and the United States, was one of the customers impacted – sources in the financial industry noticed a multitude of reports of fraud on credit cards recently used within the soup eateries.
Zoup CEO, Eric Ersher, said the soup eatery utilizes NEXTEP’s point-of-sale solutions across all of its locations. NEXTEP President, Tommy Woycik, doesn’t believe all of the company’s customers have been affected.
He explained, “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised. NEXTEP immediately launced an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue.”
“We do know that this is not affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.” He continued, “This remains an ongoing investigation with law enforcement. At this stage, we’re not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”
A Look Back in History – What Causes Breaches Like This?
When we look back in history, a significant amount of breaches have involved food service establishments; often tracing back to security weaknesses exploited in point-of-sale systems purchased through POS vendors.
For example, Jimmy Johns sandwich shops experienced a pattern of credit card fraud last year. This breach traced back to security weaknesses in their point-of-sale system purchased from Signature Systems Inc., a POS vendor.
It all comes down to securing point-of-sale systems properly, which might be something you’re unsure about. If so, here’s a few tips to help you out:
Understand endpoint security risks: Sensitive information is stored and processed on POS systems, laptops, tablets, and desktops. Even if your corporate networks are secure, endpoints might not be.
- Always ensure third-party patches are applied.
- Use strong passwords at all times.
- Avoid downloading potentially dangerous files.
Adopt the right endpoint security solutions: If you have security policies written or printed out, that’s great, but they must be enforced with the right endpoint security solutions:
- Network-based content filtering.
- Data loss prevention.
- Advanced malware protection.
Create an incident response plan: If you don’t have an incident response plan, you’re likely going to be reactive instead of proactive in the event of data breach. Make sure you’ve created an incident response plan:
- Define what constitutes an incident
- Write out steps to follow in the event of incident
- FOLLOW the incident response plan if necessary
While it’s not clear what caused the NEXTEP breach, history tells us that stolen credentials could’ve been the problem. When a hacker gets ahold of credentials, they’re able to remotely administer affected point-of-sale systems; and that’s where security comes into play.