NEXTEP POS Vendor Investigates Data Breach

Another point-of-sale vendor has been hit by cyberthieves. NEXTEP Systems has confirmed that a breach exposed payment card data for cards used at the Zoup restaurant chain, which uses POS devices from NEXTEP, Krebs on Security reported.

Payment card accounts used at “a large number” of locations in the 75-restaurant Zoup chain were later used for fraudulent purchases, financial industry sources told reporter Brian Krebs. But Zoup referred Krebs to NEXTEP, whose point-of-sale devices are used in all Zoup locations.

NEXTEP, which is based in Troy, Michigan, confirmed that it had been notified of a compromise of its point-of-sale devices.

“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” NEXTEP President Tommy Woycik told Krebs in an emailed statement. “NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue. We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed. This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”

Because many Zoup locations were affected, and the chain’s restaurants are spread out across the northern U.S. between Michigan and the Pacific Ocean, the most likely breach is remote access to point-of-sale devices, which would allow cyberthieves to capture payment card numbers directly from the devices.

That would make the Zoup breach similar to the one that let cyberthieves use security weaknesses at POS-vendor Signature Systems to steal card data from locations of the Jimmy John’s sandwich chain, as well as 100 other restaurants that used Signature’s systems.

Another possibility is malware within NEXTEP’s own systems — making the breach a closer match to the one that stole card data for more than 300 Goodwill Industries thrift stores as well as other retail locations after third-party processor C&K Systems was successfully infected by thieves.