The Verizon Data Breach Investigations Report (DBIR) is an annual report produced on threats faced by small to medium sized businesses. The 12th DBIR published in 2019 is based on data breach information from 101,168 incidents from 73 sources over 86 countries. They report a detailed analysis on who was behind the attacks, what actions were used, and what industry was breached. Of the 87 breaches in the accommodations industry, 38 were derived from the point of sale (POS). The threat actors were 95% external, 100% financial targeted and compromised 77% payment data disclosure.
The POS systems were attacked specifically by malware, hacking, and social engineering. There were 32 counts of malware on the POS controller (server) and 27 counts on the POS terminal. Hacking the mail server accounted for 8 counts. Hacking the POS controller and POS terminal each accounted for 7 counts. Phishing contributed to 8 counts for access to the email server. Backdoor malware attacked the POS controller and the POS terminal each 6 times. And, brute force attacks penetrated the POS controller 5 times and POS terminal 3 times.
All of these breaches were preventable with accurate security measures in place for web applications and the network including training for the system’s users. However, we do not know from the report if the businesses knew of the risk from their security vulnerabilities and accepted the risk instead of putting safeguards in place. We do know from the report that 5% of the attacks were internal which are harder to detect, especially if access controls are not implemented appropriately.
It is unknown from the security report if the businesses were in compliance with GDPR or PCI. Being in minimum compliance does not mean the systems are fully secure. Not being in compliance with GDPR and PCI compliance regulations is punishable with hefty fees. The businesses under the GDPR are subject to fees up to 10 million dollars or 2% of their global annual revenue, whichever is higher. The fees for being non-compliant with PCI range from $5000 to $100,000 per month compounded until compliance has been met.
Software is good to monitor, but understanding what the software should do and monitor is better. Compliance with GDPR and PCI can begin to be met by understanding what is required. Their compliance regulations can be found at https://www.pcicomplianceguide.org/faq/ and https://gdpr.eu/.