According to reports emerging from Krebs On Security, Verifone is reportedly investigating a breach of its internal computer networks. According to informed sources, the attack was limited to Verifone’s corporate network and had no impact on its payments services network.
Reports also indicate that the firm sent an urgent email to all its employees and contractors back in January warning that all company passwords had to be changed within 24 hours.
“We are currently investigating an IT control matter in the Verifone environment,” Steve Horan, SVP and chief information officer of Verifone, said in an internal email memo. “As a precaution, we are taking immediate steps to improve our controls.”
A copy of the memo was obtained by Krebs On Security and confirms that employees were told they would no longer be allowed to install software on company laptops and computers.
“In January 2017, Verifone’s information security team saw evidence of a limited cyber intrusion into our corporate network,” Verifone spokesman Andy Payment told KrebsOnSecurity. “Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.”
More reporting from unnamed — but apparently knowledgable — sources indicates that the intrusion impacted one of Verifone’s customer support units, which supports payments solutions for gas and petrol stations in the U.S.
“The worst thing is the attackers have information on the point-of-sale systems that lets them put backdoors on the devices that can record, store and transmit stolen customer card data,” Avivah Litan, a financial fraud and endpoint solutions analyst for Gartner, noted. “It sounds like they were after point-of-sale software information, whether the POS designs, the source code, or signing keys. Also, the company says it believes it stopped the breach in time, and that usually means they don’t know if they did. The bottom line is it’s very serious when the Verifone system gets breached.”
The bottom line is potentially very serious — though Verifone noted that it thinks a wider breach of the payments architecture is unlikely. In a memo released to members of the press last night, the payments firm noted that according to third-party forensic teams, this cyber attempt was rather limited — two dozen gas station convenience stores were targeted over a short time period. No other merchants were targeted, and thus far the inegrity of the payments network and terminals seems to be wholly unaffected.
Verifone further noted that upon finding the cyber intrusion in their corporate network in January, the firm moved to alert Visa, Mastercard and other card schemes and to implement additional security controls across its corporate networks.
As of now, there are no signs that the data has been used (or misused), though monitoring for such activity is ongoing. Also ongoing is Verifone’s work to determine who is behind the hack — and what exact type of information was targeted by it.
We’ll have more on this story as it develops.