Point of Sale Machines are Potential Cause of Another Data Breach
Neiman Marcus is the latest victim of a data breach caused by credit card hackers. Brian Krebs reported last week that the upscale department store had its database of customer information hacked last month. This comes in the wake of Targets historic breach of over 40 million credit card numbers and an additional 70 million personally identifiable information (PII) records of their customers.
Both of these attacks have some similarities, leading some to believe there may be a connection. The attacks happened around the same time, the stretch between Black Friday and Christmas. Also, in both cases, only customers that used their cards at the brick-and-mortar stores seemed to have their information exposed not online shoppers.
What is also important to remember about both breaches is that they occurred at the point of sale (POS). POS machines have many vulnerabilities during their use and after retirement. As Michael Kassner points out in a recent article, many POS machines are not run with proprietary software and are mostly Windows based. This means the devices that are collecting your credit card data are susceptible to the same security issues that are experienced on all other Windows programs.
The US ranks third among countries with the most virus threats and 40% of households in the US were affected by a computer virus in 2012. Windows components were third on the list of most targeted applications behind Java and Adobe, which are also found on Windows computers. The viruses that can infect home computers with frequency are the same viruses compromising POS machines.
But this is just the beginning. Hackers might be able to intercept and redirect your data at the POS level, but the vulnerabilities go beyond that. This data is being stored in data centers where hard drives are failing every minute. Every drive that is taken out of its working environment still has this sensitive data on it, where does it go from there?
It is important to protect the personally identifiable information of your customers, from the time their card is swiped to the secure destruction at the end-of-life stage for each device storing PII. Steps need to be taken to ensure that data bearing drives are properly contained and destroyed onsite and that data bearing devices (POS machines as well) are properly wiped and recycled. If done right, your company can have complete indemnification, from the containment stage through the destruction and removal process.
Would you like to evaluate your current process or learn more about our onsite data destruction solution? Don’t hesitate, contact us today. We look forwarding to hearing from you!