The Green Sheet Online Edition
December 28, 2009 • Issue 09:12:02
Radiant, Computer World in the lawsuit soup
Seven Louisiana restaurants filed a joint lawsuit against POS systems manufacturer Radiant Systems Inc. and POS systems distributor Computer World, alleging their negligence led to data breaches that compromised hundreds of consumer card numbers.
The lawsuit, filed in the 15th Judicial District Court of Lafayette, La., asserts that the Aloha POS payment systems - manufactured by Radiant Systems, sold by Computer World and used by all seven plaintiffs when their respective outlets were breached - were inadequately fortified against intrusion and noncompliant with the Payment Card Industry (PCI) Data Security Standard (DSS) when said systems were invaded by hackers.
Court papers were originally filed in March 2009, but only last month did a judge approve plaintiffs' request for a joint lawsuit.
Speaking for the plaintiffs
Ernest Svenson, a lawyer for the plaintiffs, said his clients were apprised of the data breaches by local law enforcement in the spring of 2008, and the breaches all took place within a year of that time.
The suit alleges the breaches happened after Visa Inc. notified Radiant Systems in April 2007 that the operations of Aloha POS software violated certain PCI DSS mandates, including the forbidden storage of certain card information such as card verification numbers and PINs at POS locations.
It states further that the systems were hacked through the use of "keyloggers," a type of remotely operated malware that intercepts passwords and other information by reading keystrokes on a computer.
The plaintiffs are reportedly seeking compensation in the millions of dollars, including for losses stemming from post-breach security audits, fines levied by Visa and reputational damage as a result of the breaches, which generated local media coverage.
A press release issued by the plaintiffs says an investigation by the United States Secret Service (which commonly deals with similar matters relating to fraud and identity theft) found a number of ways in which Computer World violated PCI DSS provisions in its sale and configuration of Aloha POS software.
Allegedly among them is that Computer World misrepresented older model POS systems as new models to clients, used a remote access system that lacked adequate security controls and used the same password for at least 200 different operators of the equipment.
"Ports were left open and access points that should have been locked down weren't," Svenson said. Svenson said other Louisiana-based retailers who suffered breaches with Aloha POS software aren't as yet involved in the lawsuit, though he added that the addition of new plaintiffs was "a real possibility." He said the breaches resulted from multiple intrusions on various Aloha systems and that the hackers were likely from former Soviet Bloc countries.
Radiant Systems Chief Executive Officer John Heyman issued a press release in response to the lawsuit that asserts the breaches occurred outside of the POS software networks alleged to have been faulty.
"Specifically, these customers [the plaintiffs] were victims of criminal acts almost two years ago, involving hackers who installed malicious software, which intercepted credit card data prior to it reaching the POS software," Heyman said in the release.
He added that "Radiant's products were among the first POS technologies to be validated against Visa's initial set of data security requirements in 2005. Since the inception of these requirements, Radiant has continuously maintained payment industry validation ... when releasing our software."
Observers, however, said the multitude of breached parties bodes poorly for the case's defendants.
"If it's a single breach, well, that's one thing," said Rick Fischer, an attorney who specializes in data theft and PCI compliance issues. "But if in fact there are multiple violations, multiple breaches, as a result of a pattern of practice, then that's something quite different. ... If you've got a series of similar breaches then that's not a good sign."
Linda Mahy, CEO of payments industry consulting firm Connective IQ Inc., said the lawsuit's assertions, if true, would constitute a "blatant violation of not having proper standards in place," but she added that post-breach finger-pointing can sometimes obscure the full range of culpability.
"I get really annoyed when somebody can stand back and act like they're not part of the [security] process," Mahy said. "If [the plaintiffs] are going to point their fingers at the supplier, whether the device is or is not PCI compliant or misrepresented or whatever, where was the person working for the retailer to do the due diligence in selecting the supplier?"
Andy Bokor, Chief Operating Officer of data security firm Trustwave, said the lawsuit highlighted an often overlooked, though crucial, area in the world of payment data security.
"PCI focuses on the merchant responsibilities and then you have the POS vendors being obligated to have their applications assessed," he said. "But what is interesting is those applications have to be configured correctly in order for them to be secure.
"With the remote access vulnerabilities that were exposed, the software in and of itself could have been configured securely, but if the default passwords were either blank or something easily guessed ... it's possible the system would have gotten breached regardless of whether Radiant was PA [Payment Application]-DSS compliant or not."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.