Harbortouch POS malware attack – customer card data stolen

Allentown, PA-based point-of-sale (POS) vendor Harbortouch has disclosed a data breach affecting “a small number” of merchants using its systems.

Brian Krebs, however, reports that at least 4,200 of Harbortouch’s “restaurant and bar customers were impacted by malicious software that allowed thieves to siphon customer card data from affected merchants”.

In a statement released to Mr Krebs, Harbortouch said:

“The advanced malware was designed to avoid detection by the antivirus program running on the POS System. Within hours of detecting the incident, Harbortouch identified and removed the malware from affected systems. We have engaged Mandiant, a leading forensic investigator, to assist in our ongoing investigation.”

Harbortouch said that its own network was unaffected, and the breach wasn’t the result of any vulnerability in its PA-DSS validated POS software.

“It is important to note that only a small percentage of our merchants were affected and over a relatively short period of time,” Harbortouch continued. “We are working with the appropriate parties to notify the card issuing banks that were potentially impacted. Those banks can then conduct heightened monitoring of transactions to detect and prevent unauthorized charges. We are also coordinating our efforts with law enforcement to assist them in their investigation.”


Point-of-sale providers remain an attractive target for cyber criminals and Harbortouch is by no means the first – nor is it likely to be the last – to suffer a data breach. The large amount of banking information that passes through POS systems is easily monetized once stolen, and criminals can achieve a high return relatively easily. It’s therefore unsurprising that POS malware continues to proliferate: Cisco recently reported a new strain of POS malware called PoSeidon, which scrapes infected machines’ memory and exfiltrates data for criminal resale.

“How to Avoid Costly Data Breaches”

In light of this incident, Harbortouch’s blog from last June, How to Avoid Costly Data Breaches, becomes particularly interesting.

“POS systems have proven to be prime targets for hackers and data thieves so the restaurant and retail industries need to emphasize preventative actions,” it notes. “In addition to maintaining PCI Compliance, there are a number of steps you can take to protect your business from a costly data breach.”

The steps it lists are:

  • “Restrict remote access”
  • “Maintain customer privacy”
  • “Do not log PIN numbers”
  • “Enforce strong password policies”
  • “Restrict personal use on your business equipment”
  • “Make sure any online access to your reporting or POS management is always SSL protected”

PCI DSS v3.1

That last point has now been overruled by the newly published PCI DSS version 3.1, which denigrates SSL – and early versions of TLS – and states that “strong cryptography” can only be achieved by using newer versions of TLS.

All organizations that store, transmit or process payment cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI-compliant organizations have just over a year – until June 30, 2016 – to implement new security controls, but considering the growing threat of malware to POS systems, we advise them to comply with PCI DSS v3.1’s requirements sooner rather than later.

IT Governance is a PCI Qualified Security Assessor (QSA), and provides a wide range of products to help your organization achieve and maintain compliance with the PCI DSS, including guidebooks, e-learning and classroom-based staff training, a documentation toolkit, and consultancy support.

For more information on PCI DSS compliance, and to learn how IT Governance can help you protect your data, email us at servicecenter@itgovernanceusa.com or call us on 1-877-317-3454.