A Texas restaurant chain is suing one of its suppliers over a point-of-sale system which allowed hackers to steal customer data – claiming that card-processing giant Micros Systems supplied units which failed to meet security guidelines, allowing for large-scale theft.
Cotton Patch Cafe alleges that the Micros Systems point-of-sale system did not meet industry standards, and this allowed “a hacker” to access credit card information and clone credit cards in 2006 and 2007. The trial will start on Monday in Baltimore’s U.S. District Court
“The system was not compliant at the time they sold it to us,” said Larry Marshall, president of Cotton Patch Cafe, in an interview with the Baltimore Business Journal.
”Cotton Patch Café had been using Micros Systems to install and manage our point-of-sale system since our initial installation, and a critical element of that was ensuring the system met security guidelines,” Marshall said in an interview. “Unfortunately, it did not, and its failure resulted in significant negative impact on us and our customers. We discovered several of Micros’ clients experienced similar security breaches, we were not made aware of the problem and Micros knowingly sold software that did not meet industry standards. They left the small guys out there to fend for themselves.”
Cotton Patch Cafe has spent $800,000 on legal fees and $250,000 in fines due to Visa and Mastercard for not having a compliant system, Marshall said.
Roger Nebel, Cotton Patch’s forensics expert, claims that after one patch “malware provided a back door into the system and facilitated the hacker’s ability to access credit card data,” according to a court memorandum posted by DataBreaches.net. The trial relates to point-of-sale units during the period 2003-2007, after Cotton Patch upgraded its restaurant point-of-sale units from dial-up connection to DSL broadband.
A Micros Systems spokesperson described the lawsuit as “frivolous”.
Author Rob Waugh, We Live Security