Big Credit Card Data Breach Hits Bars And Restaurants Using Harbortouch Point-of-Sale Systems

In much of the country, this is the first truly warm week of the year. The change of seasons has us turning to shorts, dresses, sandals, and chilled fruity drinks served in rooftop bars. But data breaches, alas, are always in style, and buying that beverage may land you with a stolen credit card number.

The issue this time around is with point-of-sale vendor Harbortouch. Security expert Brian Krebs flagged the hack on his site this week.

Unless you work in a few specific industries, you probably haven’t heard of Harbortouch. But they’re pretty huge: the company provides point-of-sale systems to roughly 150,000 businesses, generally restaurants and bars. Krebs reports that his sources at card-issuing banks say that at least 4200 Harbortouch customers nationwide appear to have been breached.

As we have seen plenty of times before, and will continue to see plenty more times, this hack involved point-of-sale terminals being infected with malware. Once in place, the malware scrapes card data from affected merchants at the time of swipe, and sends it zipping merrily off to people who should not have it.

Harbortouch confirmed the breach in a statement to Krebs, saying, “The incident involved the installation of malware on certain point of sale (POS) systems.” They added, “The advanced malware was designed to avoid detection by the antivirus program running on the POS System. Within hours of detecting the incident, Harbortouch identified and removed the malware from affected systems.”

Their own network was not affected, Harbortouch said, nor was it the result of a vulnerability in their software. And, as one does, they have hired a specialist network forensic investigative firm to help them sort out precisely what happened.

Harbortouch insists that “only a small percentage of our merchants were affected.” Technically, as far as we know, that’s true: 4200 out of 150k merchants is less than three percent. But over four thousand stores is also an awful lot of locations and an awful lot of lifted data.

“Harbortouch does not directly process or store cardholder data,” the company told Krebs. “It is important to note that only a small percentage of our merchants were affected and over a relatively short period of time. We are working with the appropriate parties to notify the card issuing banks that were potentially impacted. Those banks can then conduct heightened monitoring of transactions to detect and prevent unauthorized charges. We are also coordinating our efforts with law enforcement to assist them in their investigation.”

A few months back, after the P.F. Chang’s breach made headlines, Harbortouch made a post to their corporate blog on the importance of data protection and how not to become a victim of breaches. Unfortunately, “make sure the company you’re buying this system from doesn’t become infected with malware” was not on the list of action items.

This particular kind of breach is likely slowly to become less prevalent over the next few years, as merchants in the U.S. finally make the long-overdue transition to chip-enabled EMV cards. But for now, consumers’ best bet is to assume breaches are inevitable and to keep a sharp eye on all of their own cards and accounts.

Harbortouch is Latest POS Vendor Breach [Krebs on Security]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.