Breach Alert: POS Vendor LightspeedHacker Accessed Databases; Breach Severity Unclear
"The security and privacy of your systems are our priority."
If someone gave you $10 to guess what that boilerplate was attached to, you'd be hard-pressed not to guess that it was a data breach notification.
"There is no indication that any specific data, including any personal information, has been taken or used."
Montreal-based Lightspeed POS, founded in 2005, sells a cloud-based point-of-sale system to retailers and restaurateurs that's used to process both physical and online transactions, and which competes with the likes of Shopify and Square. According to the notification, the breach affects the company's cloud-based POS product, Lightspeed Retail, which doesn't handle card data or customers' personal information, and which is mainly used by retailers.
Lightspeed couldn't be immediately reached for comment on the data breach notification, including how many customers it had alerted, how many might have been affected, as well as when the breach occurred and when it was detected. The company's website says it counts more than 38,000 customers across 100 countries, and processes 12 billion transactions annually.
Canada lacks a nationwide mandatory data breach notification law. Aside from some rules that apply only to healthcare data, "Alberta is currently the only province in Canada to have generally applicable mandatory data breach reporting requirements for all private sector organizations," according to law firm DLA Piper.
Breach Severity Unclear
The breach notification says that Lightspeed discovered that someone had accessed its Lightspeed Retail system without authorization and that it doesn't know how bad the breach might be, although it's hired unnamed "third-party security experts" to conduct a digital forensic investigation, as well as applied unspecified software patches.
Attackers accessed databases containing "sales, product and customer information as well as encrypted passwords and API keys," as well as "consumers' electronic signatures" for any customers using the company's "Customer Facing Display." Such displays - often, an iPad - are the equivalent of a second monitor that allows customers to see items that are being scanned and the total price of their purchase, in real time, and are required by law in some U.S. states, such as California and Nevada.
Lightspeed says its Retail product "has never stored any sensitive credit card information" and that its "integrated payment providers must use hardware that encrypts the payment information at the source of payment."
Lightspeed says that all passwords - which may have been accessed by attackers - "are stored using advanced encryption technology," though declines to say what that is, and notes that such protections only apply to passwords that have been created or changed since January 2015. It recommends that all customers change their passwords, although says that "there is no indication that any specific data, including any personal information, has been taken or used."
No Mention of Security Logs, Audit Processes
Such blandishments, however, are little more than doublespeak, equivalent to saying that "everything may have been stolen, but we just haven't witnessed the fallout yet."
Indeed, organizations that have the right tools, audit and security logs, and skilled expertise in place should be able to provide a definitive breach damage assessment. But Lightspeed makes no reference to such tools or processes.
Don't discount the possibility that Lightspeed may not know the true severity of the breach until any information that was stolen begins to surface in unwelcome ways. This year, for example, stolen data circulating on underground sites revealed that Dropbox and LinkedIn, both of which reported intrusions in 2012, had suffered data loss that was orders of magnitude worse than they'd suspected (see Dropbox's Big, Bad, Belated Breach Notification).
Production Systems Accessed?
Lightspeed's breach notification also reveals which security controls were not in place prior to its breach. Post-breach, the company says it has "introduced and enforced strict new access policies, limiting personnel access to our production infrastructure and sensitive data." If attackers gained access to the company's production infrastructure, then they could have potentially altered the company's code to introduce malware into POS devices that's able to read cards when they're swiped, regardless of whether the system is then encrypting and sending the data elsewhere.
Lightspeed didn't immediately respond to a request for comment about that possibility, including whether a code-management system might have been accessed and tampered with.
On the upside, Lightspeed has also been moving toward using OAuth for authenticating to its API for Retail product. An upgrade was released on Aug. 2 for Retail's authentication protocol to OAuth. Within a few months, OAuth will be mandatory, it says.
POS Vendor Breaches Continue
Lightspeed's breach is concerning in part because it has come to light in the wake of the breach of Oracle MICROS, with Oracle warning that it "has detected and addressed malicious code in certain legacy MICROS systems."
MICROS is point-of-sale hardware and software used across 330,000 customer sites in 180 countries and to date, Oracle has remained mum about just how bad the breach might be.
Alex Holden, CISO at security and digital forensics firm Hold Security, says 10 smaller POS vendors in addition to MICROS - he would name only Cin7, ECRS, NavyZebra, PAR Technology and Uniwell - have been attacked in recent weeks (see Recent POS Attacks: Are They Linked?).
But Holden says he has no evidence tying Lightspeed to any other attacks. "From our vantage points, we did not see the same hackers target Lightspeed," he tells me. "However - based on the details disclosed - the breaches that we identified and this situation appear to be very similar."
Managing Editor Jeremy Kirk contributed to this blog. It has been updated with comment from Alex Holden.