Late last week, the U.S. Justice Department indicted three Ukrainian nationals in connection with a hacking (malware) scheme that stole more than 15 million credit and debit card numbers from the restaurant, gaming, and hospitality industries. The scheme involved sending legitimate-looking emails to employees of the targeted companies, and tricking those employees into activating a file attached to the emails. Once the file was clicked or downloaded from an email, it installed malware onto the restaurant group’s computer system. That malware burrowed into the network and stole payment information from point of sale (POS) and other devices, which the hacker group either used or sold. Chipotle and Arby’s are among the chains that have disclosed attacks by the group, known as “FIN7.” Only the leaders were indicted; the group is still in operation beyond US borders.
The FIN7 method of operation is essentially, a combination of technical skills and low-tech con operations to gain access into a computer network and exploit it. Restaurants and other businesses with extensive POS installations are especially vulnerable. According to Mark Ray, security consultant with Nardello & Co. and former Special Agent with the FBI, POS systems often come with known security problems out-of-the-box. In addition, by definition, these devices are collecting valuable consumer payment card and transactional information. Mr. Ray said that this combination of factors means “restaurants and retail establishments are especially rich targets for hacking and social engineering schemes. This sector is sure to continue to see malicious activity.”
In the case of FIN7 and other criminal enterprises, the technology issues were exploited via “behavioral engineering,” meaning an unauthorized but convincing email message to employees kicked off the problem. The most effective way to combat such low-tech approaches is to train your employees to spot the signs of a suspicious email, and to report any non-legitimate messaging to management or the IT department. Technical solutions are absolutely an important part of cyber defenses and information security planning. Many successful attacks, however, involve exploiting human weaknesses, as well as technological vulnerabilities. Tech tools alone cannot keep out the “bad guys.”
The costs of a successful attack can mount quickly: investigating, containing, and remedying the problem require technical resources; responding to and messaging about the problem require legal and PR resources. There may be other costs such as customer relations efforts, lost sales transaction records, litigation with card issuers or POS vendors, or rebuilding data or devices crippled by an attack. The average data breach in 2018 costs $3.18 million, according to the Ponemon Institute. Advance planning and training, together, can speed your response time and thus help control the costs of any event. Planning and training can even prevent an attack from happening. The right combination of legal and security resources can buffer the effects of most attacks.