Archive: November 2015

1
Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy
2
Hotel Industry Payment Systems Under Attack
3
10 Considerations for Developing a Data Breach Response Plan
4
Operation Resilient Shield
5
Victorian Racing Integrity Commissioner Seeks Access to Metadata

Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy

By Cameron Abbott and Meg Aitken

While the festive season approaches and retailers prepare for their busiest time of the year, a sophisticated form of point-of-sale malware, known as ‘ModPOS’, has reared its ugly head and is targeting payment terminals in the U.S.

It is estimated that the first ModPOS data hacks occurred in 2013 and that millions of credit and debit cards used at a broad variety of U.S. retailers have since been compromised. The unique complexity of the code, which experts say has never been seen before in malware, made it tricky to decipher.

Cyber security experts have warned that ModPOS has the ability to not only “scrape” credit and debit card numbers from the memory of point-of-sale terminals, but that the multifaceted code also records keystrokes of computer operators and transmits stolen data. If that isn’t enough, the malware is particularly difficult to detect and is reportedly capable of infiltrating despite security software and data controls.

More details about ModPOS malware can be found here.

Hotel Industry Payment Systems Under Attack

By Cameron Abbott and Meg Aitken

Stayed at one of Hilton Worldwide Holdings’ (Hilton) hotels between 18 November – 5 December 2014 or 21 April – 27 July 2015? Check your bank statement.

Within the same week, both the Hilton and Starwood Hotels & Resorts Worldwide Inc. (Starwood) have discovered the point-of-sale terminals at a number of hotels across the globe have been infected with malware.

The malicious malware has enabled hackers to pinch the credit and debit card information of Starwood and Hilton customers, however there is apparently no evidence that personal contact information provided as part of the hotels’ guest-reservation system or loyalty rewards program was stolen.

While the attack on Starwood was confined to 54 of its hotels in North America, the Hilton attack affected the chain’s hotels globally, including Australian establishments. The number of cards compromised has not been revealed by either hotel.

Starwood and Hilton hotels are not the only luxury hotel chains to be affected by data hacks in 2015. The Mandarin Oriental and Trump International have also reported data security breaches involving intrusive malware this year. In the case of Starwood the hack occurred over eight months without detection showing how sophisticated some of these attacks are.

Starwood’s media release can be found here. Hilton’s media release can be accessed here.

10 Considerations for Developing a Data Breach Response Plan

By Jim Bulling and Michelle Chasser

A quick response to a data breach is key to mitigating its impact. The Office of the Australian Information Commissioner (OAIC) recommends that all entities have a data breach response plan in place and has recently released draft guidance on how to develop such a plan.

The guidance recommends that the plan include setting out the actions to be taken in the event of a breach and the team members involved in those actions. Here are some questions for your organisation to consider based on the OAIC’s draft guidance to developing a data breach response plan.

1. What constitutes a data breach?

2. What actions should your staff take?

3. Who is a member of the response team?

4. When does a breach needs to be escalated to senior management?

5. Who is responsible for contacting and managing any affected individuals?

6. Who decides whether to contact law enforcement or regulators?

7. How are records of data breaches kept?

8. How will you identify and address any weaknesses in data handling that contributed to a data breach?

9. Are there any steps your cybersecurity insurance policy requires you to follow?

10. How will you test your response plan?

The OAIC’s Guide to developing a data breach response plan Consultation draft can be found here.

Operation Resilient Shield

By Jim Bulling and Michelle Chasser

The US and UK are set to launch Operation Resilient Shield later this month. Operation Resilient Shield is a cybersecurity exercise to test each country’s readiness to withstand a serious attack designed to steal financial information and disrupt financial systems. Banks and government agencies in both countries will be involved.

As with the UK’s previous large scale cybersecurity exercise in 2013, Operation Waking Shark II, not a lot of detail about the operation has been released. The UK Computer Emergency Response Team (CERT) will be overseeing the operation and is thought to be focusing on communication between the two governments and the participating banks as well as amongst the participating banks themselves.

The joint UK US operation was originally announced in January 2015 by UK Prime Minister David Cameron and US President Barack Obama as part of an agreement between the two countries to develop cybersecurity cooperation principles.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.