Incident: Credit Card Data Breach by Eastern European Hackers in Australia

Published Date: 2012-08-17

Postmortem Analysis
Timeline 1. The software failure incident happened between 2008 and May 2011 as mentioned in Article [13880].
System 1. Point-of-sale (POS) terminals 2. Microsoft Remote Desktop Protocol (RDP) connection 3. Torex Quick Service POS system [13880]
Responsible Organization 1. Eastern European hackers installed keystroke-logging software on point-of-sale terminals in Australia, leading to the breach of half a million credit card numbers [13880]. 2. Romanian nationals, including Adrian-Tiberiu Oprea, Iulian Dolan, Cezar Iulian Butu, and Florin Radu, were charged in the U.S. for hacking Subway sandwich shops and other retailers, indicating their involvement in the software failure incident [13880].
Impacted Organization 1. Customers of the unidentified merchant in Australia [13880] 2. Customers of Subway sandwich shops in the U.S. [13880]
Software Causes 1. Breach of half a million credit card numbers in Australia was caused by Eastern European hackers installing keystroke-logging software on point-of-sale terminals (POS) [13880]. 2. The hackers exploited an unsecured Microsoft Remote Desktop Protocol (RDP) connection to transmit the stolen data [13880]. 3. The company's network used default passwords and stored unsecured transactional data, contributing to the breach [13880]. 4. The POS systems were compromised by installing keystroke loggers and other sniffing software to steal customer credit, debit, and gift card numbers [13880]. 5. Backdoors were placed on the systems to provide ongoing access for the hackers [13880].
Non-software Causes 1. Lack of understanding of IT security by local suppliers who set up the network [13880] 2. Default passwords being used in the company's network [13880] 3. Unsecured transactional data being stored [13880] 4. Unsecured Microsoft Remote Desktop Protocol (RDP) connection used to transmit data [13880]
Impacts 1. Unauthorized purchases were made using compromised credit card data, resulting in financial losses for customers and businesses [13880]. 2. Over 80,000 customers had their credit card data compromised [13880]. 3. The hackers breached more than 200 POS systems, indicating a widespread impact on multiple businesses [13880]. 4. The incident highlighted the lack of IT security understanding by local suppliers who set up the network, leading to a significant data breach [13880].
Preventions 1. Implementing strong password policies and avoiding the use of default passwords on network devices and systems could have prevented the breach. This incident involved hackers exploiting default passwords on the company's network devices [13880]. 2. Regular security audits and assessments of the network infrastructure could have identified vulnerabilities and prevented the installation of keystroke-logging software by hackers [13880]. 3. Ensuring that POS systems are regularly updated with the latest security patches and software updates could have closed potential security loopholes that were exploited by the hackers [13880]. 4. Providing comprehensive IT security training to local suppliers and employees responsible for setting up the network could have raised awareness about security best practices and prevented the disaster waiting to happen [13880].
Fixes 1. Implementing strong IT security measures, including changing default passwords, securing transactional data, and ensuring secure remote desktop connections [13880]. 2. Regular security audits and assessments to identify vulnerabilities and address them promptly [13880]. 3. Educating suppliers and employees on IT security best practices to prevent similar incidents in the future [13880]. 4. Utilizing secure POS systems and ensuring they are regularly updated and monitored for any suspicious activity [13880].
References 1. Det. Sup. Marden 2. SC Magazine 3. Authorities 4. Indictment in the District of New Hampshire 5. Subway restaurant chain 6. Maker of a POS 7. Seven U.S. restaurants 8. Romanian hacker 9. Online nicknames "tonymontanamiami" and "marcos_grande69" [13880]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The incident involving the breach of credit card numbers in Australia is linked to the same gang that previously targeted the Subway restaurant chain in the United States [13880]. - The hackers responsible for the Australian breach are believed to be members of the same Romanian group that hacked Subway sandwich shops and other retailers in the U.S. [13880]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that seven U.S. restaurants sued the maker of a POS system in 2009 for failing to secure the product from a Romanian hacker who breached their systems, indicating that similar incidents have occurred at multiple organizations [13880].
Phase (Design/Operation) design, operation (a) The software failure incident in the article was primarily due to design-related factors introduced during system development and setup. The network of the affected company in Australia was set up by local suppliers who lacked understanding of IT security, leading to the use of default passwords and storage of unsecured transactional data. Additionally, the hackers exploited an unsecured Microsoft Remote Desktop Protocol (RDP) connection to transmit the stolen data [13880]. (b) The software failure incident also involved operation-related factors, as the hackers were able to siphon card data remotely from the point-of-sale terminals by installing keystroke-logging software. This operation-related failure was facilitated by the misuse of the POS systems and the lack of proper security measures in place to prevent unauthorized access and data theft [13880].
Boundary (Internal/External) within_system (a) within_system: The software failure incident reported in the articles was primarily due to contributing factors that originated from within the system. The breach of half a million credit card numbers in Australia was attributed to Eastern European hackers installing keystroke-logging software on point-of-sale terminals (POS) and siphoning card data remotely. The company's network used default passwords and stored unsecured transactional data, indicating internal vulnerabilities. Additionally, the network setup by local suppliers lacked proper IT security measures, making it a "disaster waiting to happen" [13880].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article was primarily due to non-human actions. The breach of half a million credit card numbers in Australia was attributed to Eastern European hackers who installed keystroke-logging software on point-of-sale terminals (POS) and siphoned card data remotely [13880]. Additionally, the network setup by local suppliers was described as a "disaster waiting to happen," indicating that the vulnerabilities were introduced without direct human participation in the breach [13880]. (b) However, human actions also played a role in the software failure incident. The article mentioned that the company's network used default passwords and stored unsecured transactional data, indicating a lack of proper security measures implemented by humans [13880]. Det. Sup. Marden highlighted that the network setup lacked IT security understanding, suggesting that human actions or oversights contributed to the vulnerability exploited by the hackers [13880].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The breach of half a million credit card numbers in Australia was attributed to Eastern European hackers who installed keystroke-logging software on point-of-sale terminals (POS) and siphoned card data remotely [13880]. - The network setup by local suppliers in Australia was mentioned to have lacked IT security understanding, indicating a hardware-related issue in the network setup [13880]. (b) The software failure incident related to software: - The hackers in the incident used unsecured Microsoft Remote Desktop Protocol (RDP) connection to transmit the stolen data, indicating a software vulnerability exploited by the hackers [13880]. - The hackers compromised POS systems by installing keystroke loggers and other sniffing software to steal customer credit, debit, and gift card numbers, highlighting a software-related vulnerability in the POS systems [13880].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in the articles is malicious in nature. The breach of half a million credit card numbers in Australia was conducted by Eastern European hackers who installed keystroke-logging software on point-of-sale terminals (POS) and siphoned card data remotely [13880]. The hackers compromised the credit card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases [13880]. The hackers were part of a Romanian group responsible for hacking Subway sandwich shops and other retailers in the U.S. [13880]. The intrusion was facilitated by the use of default passwords, unsecured transactional data storage, and an unsecured Microsoft Remote Desktop Protocol (RDP) connection [13880].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was poor_decisions. The breach of half a million credit card numbers in Australia was attributed to poor IT security practices, including using default passwords, storing unsecured transactional data, and setting up an unsecured Microsoft Remote Desktop Protocol (RDP) connection [13880]. The network setup by local suppliers lacked understanding of IT security, making it a disaster waiting to happen.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident in the article was related to development incompetence. The breach of half a million credit card numbers in Australia was attributed to Eastern European hackers who installed keystroke-logging software on point-of-sale terminals (POS) due to the company's network using default passwords and storing unsecured transactional data. The network setup by local suppliers lacked IT security understanding, making it vulnerable to such attacks [13880]. (b) The accidental factor is not explicitly mentioned in the provided article.
Duration permanent (a) The software failure incident described in the articles is more of a permanent nature. The breach of half a million credit card numbers in Australia, conducted by Eastern European hackers, involved the installation of keystroke-logging software on point-of-sale terminals (POS) and siphoning card data remotely. The hackers compromised the credit card data of more than 80,000 customers and made millions of dollars of unauthorized purchases over a period from 2008 until May 2011. The hackers also breached more than 200 POS systems during this time, indicating a sustained and ongoing breach [13880].
Behaviour omission, value, other (a) crash: The software failure incident described in the articles does not specifically mention a crash where the system loses state and does not perform any of its intended functions [13880]. (b) omission: The incident involves a failure where the system omits to perform its intended functions at instances, such as the hackers installing keystroke-logging software on point-of-sale terminals to siphon card data remotely [13880]. (c) timing: The timing of the software failure incident is not explicitly mentioned in the articles as the system performing its intended functions too late or too early [13880]. (d) value: The failure in this incident is related to the system performing its intended functions incorrectly, leading to the compromise of credit card data and unauthorized purchases [13880]. (e) byzantine: The software failure incident does not exhibit behavior where the system behaves erroneously with inconsistent responses and interactions [13880]. (f) other: The behavior of the software failure incident in this case involves a security breach facilitated by the installation of keystroke-logging software on point-of-sale terminals, indicating a failure in system security measures [13880].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the breach of half a million credit card numbers in Australia resulted in the theft of card data from point-of-sale terminals by Eastern European hackers. The hackers installed keystroke-logging software on the terminals and siphoned card data remotely, leading to unauthorized purchases and compromising the credit-card data of more than 80,000 customers. The hackers used the stolen data to make millions of dollars of unauthorized purchases, indicating a significant impact on people's financial assets and data security [13880].
Domain sales (a) The failed system was related to the sales industry. The incident involved a breach of credit card numbers at a merchant in Australia, where hackers installed keystroke-logging software on point-of-sale terminals to steal card data remotely [13880]. The compromised data was then used for unauthorized purchases, indicating a direct impact on the sales transactions within the industry.

Sources

Back to List