Simply Security - News, Views, and Opinions from Trend Micro

Posted on February 3rd, 2012 in Current News, Privacy & Policy by Simply Security | 1 Comment | Tags: Compliance & Regulations

Four hackers from Romania have been charged on four counts in a cyberattack affecting Subway and hundreds of other companies.

Four Romanians have been charged with hacking the credit card-processing and point-of-sale (POS) systems of hundreds of small businesses, including more than 100 Subway restaurant franchises.

According to an indictment filed earlier this month and obtained by Wired magazine, Adrian-Tiberiu Oprea, Iulian Dolan, Florin Radu and Cezar Iulian Butu face charges in the U.S. District of New Hampshire on counts of wire fraud, computer fraud and access device fraud.

In total, the hackers allegedly stole more than $3 million from Subway and other business in a scheme that may date as far back as 2008 and has affected as many has 80,000 victims, according to Ars Technica.

The indictment does not name any victims other than Subway.

While the damage may not seem like much compared to some of the more headline-grabbing cyberattacks of 2011, it could prove significant for those small businesses involved. Data breaches can be devastating for smaller companies, which often do not have the resources to absorb the financial damage caused by the incident.

Additionally, the hit to an organization's reputation can be even more damaging. If consumers do not believe their payment card information will be safe, they are likely to take their business elsewhere rather than risk the possibility of identify theft and other consequences.

Beyond the consequence, the Subway incident also highlights the causes of such data breaches. According to Ars Technica, the hackers used relatively simple tools than can be accessed by virtually anyone with the intention of doing so. Essentially, the software being used on the POS systems provided a "ready-made backdoor" that allowed the hackers to gain entry and pick off unsuspecting victims for years.

The indictment does not name the particularly POS system in question, but in January 2009, Subway announced that it would deploy the Torex Quick Service POS in its 30,000 restaurants.

Incidents such as these call attention to the Payment Card Industry Data Security Standard (PCI DSS), and what companies need to do to comply with the standard. While no technology is 100 percent safe – and POS systems are especially enticing targets for hackers – companies must ensure they are doing what they can to keep consumer information safe and out of the hands of hackers and other cybercriminals.

According to the Ars Technica report, many of the Subway franchises were provided access to some more advanced data security measures, but chose to disregard them for one reason or another, whether it was to speed up processes or just out of convenience.

Disregard for the PCI DSS is a persistent trend, as a 2011 study from the Ponemon Institute and Imperva found that the majority of security professionals do not believe complying with the standard has a positive effect of their companies. However, the evidence suggests otherwise.

According to the Ponemon Institute's study, 64 percent of companies that do comply with the PCI DSS reported no data breaches involving payment card information in the last two years. In contrast, only 38 percent of noncompliant organizations said they haven't suffered any breaches during that same time frame.

While complying with the PCI DSS does not guarantee consumer information will be safe from data breaches or other threats, the results of the study are evidence that adhering to PCI DSS best practices are beneficial. The standard is perhaps one of the most effective measures for locking down data security practices and can go a long way to improve a company's protection standing.

Data Security News from SimplySecurity.com by Trend Micro