Another day, another data breach. Zoup! the restaurant known for its soup, salad, and sandwiches is the latest retailer to have it POS system hacked. The hack exposed credit card information hacked according to MLive. From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – too bad so sad, “… in the days ahead, we will work hard to preserve your trust.”
Apparently re-gaining my trust does not include telling me my information was stolen, or the usual credit monitoring or credit restoration services, according to MLive Southfield, MI-based Zoup! will not be contacting customers who were affected by the cyber-attack.
The stonewall goes beyond Zoup!’s customers. When contacted by security researcher Brian Krebs, for comment CEO Ersher referred calls to NEXTEP, who runs all of Zoup!s point-of-sale devices. Troy, MI-based NEXTEP President Tommy Woycik emailed Mr. Krebs a statement, which says in part, “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised.”
The MLive article reports that Zoup! learned March 4 of a payment card security issue that affected most of its U.S. locations. Between Feb. 2 and March 5, the malware installed on the point-of-sale system was tracking credit card numbers, and possibly PII data such as the cardholders’ name, card expiration date, and verification code.
POS vendors have a notorious track record for data security. One breach can impact 100’s of locations. The 2014 breach at the POS vendor Signature Systems Inc. affected Jimmy John sandwich shops and at least 100 other restaurants. The 2015 breach at Advanced Restaurant Management Applications (ARMA) affected many of its client restaurants. And now Nextep has impact up to 75 Zoup! locations and possibly 100,000’s of customers.
CEO Ersher stated in a statement in a statement, “… we moved as swiftly as possible to address the problem once we learned about it … ” Oh really? if they had read Bach Seat last year when I wrote about POS hacks or paid attention to US-CERT or warnings they would have been prepared.
The company set up a website for customers with concerns or call Zoup! at 800-343-9308, Monday – Friday, 8 a.m. – 5 p.m. ET.
rb-
I think that Zoup! should cool the attitude and review the info I posted in 2014 on how to avoid POS System breaches.
1. Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).
2. Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).
3. Avoid using POS systems to browse the web (or anything else on the Internet).
4. Make sure your POS is a PCI DSS compliant application (ask your vendor)
5. Use password management software like LastPass to generate secure passwords. (LastPass allows you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.