InTouchPOS data stolen, ex-employee suspected

Petaluma, Calif., police arrested three individuals on June 9, 2017, on suspicion of identity theft and drug possession, according to the Santa Rosa Press Democrat, a regional newspaper. A routine traffic stop led to the discovery of illegal and restricted drugs, as well as personal data reportedly stolen from InTouchPOS, a global hospitality service provider based about 70 miles away in Walnut Creek, Calif.

In addition to cocaine, methamphetamine and pharmaceuticals found in the car, police uncovered a cache of personal identifying information belonging to approximately 100 people. Authorities are investigating one of the arrestees, former InTouchPOS employee Brittany Spears, for possible identity theft, Petaluma Police Sgt. Lance Novello said.

Novello noted that the recovered stolen data includes names, addresses, birthdays, Social Security numbers, banking credentials and credit card account numbers. “The potential victim list spans the United States and losses are yet to be determined, as most victims are unaware,” he said, adding that the investigation will be “extensive, ongoing and involve the Walnut Creek Police Department.”

Past employees, present threats

Security analysts have repeatedly warned merchants to guard against current and former employees gaining unauthorized access into company networks. Steve Robb, President, Managed Compliance Services at ControlScan, said businesses need to continually monitor the information employees can access and implement permission levels.

“Malicious insiders pose a real data security threat, even after they quit or have been fired,” he said. “Individual access should be ‘least privilege,’ which means access to only what’s required to do a particular job. And then their access to any systems must be completely removed, as quickly as possible, upon their departure.”

Robb further noted that insider threats are more quickly discovered when business systems are continuously monitored for any unusual or unauthorized user behavior, such as accessing areas that a user has no need to access or transferring data that shouldn’t be transferred. “Proactive monitoring requires an investment in technology and people, but it more than pays for itself in terms of loss prevention,” he added.

POS companies targeted

Cybersecurity specialists have observed that the ongoing scourge of attacks against POS service providers shows no sign of abating. Recent malware discoveries at Kmart and Chipotle are recent examples of how criminals exploited vulnerabilities in retail and hospitality POS systems.

The InTouchPOS incident demonstrates that even the most secure and compliant POS systems can be vulnerable to inside attacks. The company has provided customizable POS software since 1988 and is well-respected in the payments industry. Its suite of solutions includes turnkey systems designed to enhance efficiencies by helping business owners manage front- and back-office operations, according to the company’s website. The company was not available for comment on the recent arrest or ongoing investigation.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.