Security & Fraud

Cybersecurity Falls Short In September

Data Breaches On The Rise

Since Sept. 7, the media has been abuzz over the security breach at credit scoring company Equifax and the vast number of consequences the incident set in motion, from the resignation of the company’s CEO to lawsuits filed by state Attorneys General across the U.S.

While Equifax is clearly learning from (and paying dearly for) its mistakes, it would have been nice to see some others take the lesson to heart before they became the next victim. Unfortunately, if anything, the number of blockbuster breaches in September seemed bigger than normal, not smaller.

Here are a few of the places fraudsters found their “in” this month — some of which were overshadowed by the Equifax news, some of which held their own in headlines, but all of which have been cause for concern among consumers, who are losing confidence in any company’s ability to keep their personal information safe.

SAP Point of Sale

Luckily, this one was just a hypothetical hack — it could have been much worse. It was a team of cybersecurity researchers from the firm ERPScan, and not malicious hackers, who discovered that point-of-sale (POS) systems made by SAP had a gaping loophole.

These white hat hackers found that the system did not authenticate or check internal commands, so anyone with access to the store’s network could wreak havoc with prices at the checkout, including setting discounts, capturing card data or even remotely starting or shutting down the terminal.

When any devices around a store are connected by Ethernet, it’s practically an invitation to hackers to launch a plug-and-play attack. SAP quickly rolled out patches and fixed the vulnerability before less honorable hackers could take advantage of it.

Yahoo Litigation Moves Forward

Though not a new hack, the data breaches at Yahoo nevertheless comprised the largest cyberattack of all time, so it’s only fitting that we include this month’s court decision to move forward with litigation.

The courts reportedly dismissed Yahoo’s claim that victims did not have the standing to sue. The nationwide lawsuit represents the interests of one billion users, all of whom face the risk of future identity theft thanks to the Yahoo breach. Some plaintiffs also said they spent their own money defending themselves against these potential future attacks — an expenditure that would not have been made if Yahoo had not exposed their personal data in the first place.


Hackers reportedly stole celebrities’ contact information, including email addresses and phone numbers, through an Instagram security breach. It was later revealed that non-celebrity users of the photo-sharing social network were also affected, though Instagram did not say how many.

While no passwords were stolen and the vulnerability was patched, the stolen data had already made its way online, with sites such as Doxagram claiming to sell celebrity contact information for as little as $10. This incident occurred despite the fact that Instagram had introduced two-factor authentication months earlier. Users who are not already using the more secure two-factor option would do well to activate it, the platform recommended.

Elasticsearch Servers

Due to a lack of password security and authentication technology, more than 4,000 Elasticsearch machines were infected by two types of malware, JackPOS and AlinaPOS. Elasticsearch is an open-source search engine based on the Apache Lucene software license.

Malware on its servers could herald more POS system attacks in the future, according to Security Intelligence. The particular malware discovered would allow attackers to wipe information or take control of computers.

Kromtech Security experts found that more than one-quarter of Elasticsearch instances had been exposed to files with links to hidden command-and-control servers. Most of the systems are hosted on Amazon Web Services, the popularity of which could increase the potential for more users to be exposed to these malicious files.

EDGAR Database

The U.S. Securities and Exchange Commission (SEC) revealed that its EDGAR database for corporate filings had been compromised the previous year and now, more recently, may have been hacked by individuals who wished to make illegal insider trades based on the information from the previous breach.

Reportedly, the hackers leveraged a weakness in the EDGAR system, which has since been patched. While the corporate reports filed in the system don’t contain very sensitive information, the symbolic value of the attack is weighty, especially since, ironically, the SEC’s new chairman has made a point of focusing on cybersecurity enforcement.

National Bank of Canada

National Bank of Canada customers may have seen data belonging to other customers while filling out an electronic form on the bank’s website. No addresses, banking information or social insurance numbers were compromised by the glitch.

Thankfully, this one was just a glitch caused by human error and not a malicious attack. It impacted around 400 customers, all of whom have been provided with free credit monitoring services since the incident.


Cyberattackers reportedly leveraged an administrator’s account to gain unrestricted access across Deloitte’s email server, which stores around five million emails for the Big Four accountancy firm.

The administrative account required only a single password rather than the more secure two-factor authentication — odd and rather embarrassing, since Deloitte prides itself on its cybersecurity chops and even provides security services to clients.

The breach exposed emails and company plans of several of Deloitte’s clients. Deloitte has notified some and is still investigating the impact to others.

Sonic Drive-In

The first signs of a breach appeared in the Oklahoma City area on Wednesday, Sept. 27, where financial institutions started noticing a wave of bad card transactions. The common denominator? All had recently been used at a Sonic.

Meanwhile on the dark web, five million new cards were flooding the bazaar Joker’s Stash, many or all of which were tied to the Sonic breach (it was unclear whether some had been mixed in from other eatery breaches).

Sonic owned up to the breach and launched an investigation, bringing on third-party forensic experts and law enforcement as soon as it heard from its credit card processor that there had been unusual card activity. It is not yet known how many locations or individuals were affected.

Whole Foods

The good news is, if you buy your groceries at Whole Foods, your payment data is safe. The latest blockbuster breach only affected the POS systems used at the taprooms and full-service restaurants located at some Whole Foods stores, which are different from the primary checkout systems.

Amazon customers need not worry: Although the eCommerce giant recently acquired Whole Foods, the payment systems are not linked, so there has been no impact to transactions on Amazon’s website.

At least, customers don’t need to worry about this breach exposing their data through that channel. However, if they want to worry about a breach exposing their data on some channel at some time — well, considering the month we’ve just had, who could blame them?



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border.

Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.