POS Breaches: Bankrupting Small Businesses and Impacting the Supply Chain

There’s a popular cybercrime statistic that has been vexing me for years, and if you read cybersecurity news regularly, I’m sure you’ve seen it cited a few dozen times as well:

60% of small businesses close their doors within six months of a cyber-attack.

I’ve always been skeptical of that bold statistic. As Mark Twain wrote in his autobiography, attributing the now famous quote to British Prime Minister Benjamin Disraeli, “There are three kinds of lies: lies, damned lies and statistics.” Sixty percent is incredibly high (and what percent of these companies would have failed anyway, cyber-attack or not?); nevertheless, I’ve always wanted to find the source of that data and delve into the stories behind that number.

I’ve largely failed on both of those fronts over the past few years.

First, the statistic is most often attributed in some vague way to either the National Cyber Security Alliance or the U.S. House Small Business Subcommittee on Health and Technology. In fact, National Cyber Security Alliance executive director Michael Kaiser did quote that statistic before the House Small Business Subcommittee on Health and Technology in December 2011, but he was actually citing a Business Insider article from three months prior. The Business Insider article is similarly vague, saying only that “about 60 percent of small businesses will close shop within six months of an attack” — but providing no other context to back up that assertion.

Second, my repeated attempts to find small businesses that have failed due to cyber-attacks — and are willing talk publicly about those failures — have come up mostly empty.

When Breaches Lead to Bankruptcy

All of this serves as a backdrop to the recent conviction of Roman Valerevich Seleznev, aka Track2, 32, of Vladivostok, Russia. Seleznev was convicted on August 25 of 38 counts related to hacking point-of-sale systems and stealing payment card information. According to trial testimony, Seleznev’s scheme led to more than $169 million in losses across 3,700 financial institutions.

Perhaps most interesting — at least when it comes to my ongoing quest to chronicle small businesses being put out of business by cybercrime — was this tidbit from the Department of Justice press release:

Many of the businesses [targeted by Seleznev] were small businesses, some of which were restaurants in Western Washington, including the Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault.

According to the indictment, Seleznev and others used automated techniques such as port scanning to identify vulnerable retail point-of-sale systems that were connected to the Internet and then infect those systems with malware.

“[Seleznev and others] hacked into, installed malware on, and stole credit card track data from, hundreds of retail businesses in the Western District of Washington and elsewhere,” the indictment stated. “[They] stole, in total, over two million credit card numbers, many of which they then sold through their dump shop websites … generating millions of dollars of illicit profits.”

Seattle’s iconic The Grill on Broadway was one of those small businesses to be hit by point-of-sale malware in 2010. The incident, along with other issues inherited from previous owners, led to the restaurant being closed in 2013.

“It became a target of a credit card number harvesting scheme that claimed a number of businesses on Broadway as victims,” the Seattle Gay Scene wrote at the time of the closing. “Several years of missed software updates played a significant role in the incident and [owner Matthew] Walsh and his team discovered this fact only a few months after purchasing the business. The effects were devastating to The Grill, generating massive amounts of negative publicity and drastically reduced revenue at the restaurant.”

The resources required to stay afloat were simply too much.

“In spite of what it may seem, we’re a very small business,” Walsh said. “We don’t have endless financial resources to keep us afloat like a chain restaurant or large corporation could.”

Recent Supply Chain Issues Affect POS Systems

The conviction of Seleznev over stolen payment card information and the re-emergence of The Grill on Broadway’s story comes during the same month that several point-of-sale vendors, including Oracle MICROS, have announced potential compromises — and a series of retailers and hotels have subsequently published data breach notifications.

Those breaches haven’t been explicitly connected, but several of the hotels to recently announce breaches have previously confirmed using MICROS products.

For example, Millennium Hotels & Resorts (MHR), which recently announced a data breach affecting food and beverage point-of-sale systems at 14 hotels, said it was notified by a third-party service provider about “malicious code in certain of its legacy point of sale systems, including those used by MHR.”

“The third party is a significant supplier of PoS systems to the hotel industry,” a spokesperson responded when SurfWatch Labs inquired about problems stemming from the supply chain. “It is aware of these issues. We are not disclosing the name.”

However, in 2008 MICROS Systems, now owned by Oracle, announced that Millennium Hotels & Resorts would be using MICROS “as the standard food and beverage point-of-sale solution for its 14 Millennium Hotel properties located in the United States” — so it’s possible there’s some connection between the breaches.

The same Russian group that hit MICROS has targeted at least five other cash-register providers, according to Forbes’ Thomas Fox-Brewster. Investigations are ongoing, but as we noted in our recent report, cybercrime is increasingly interconnected and compromises can quickly move down the supply chain, affecting everyone from small businesses to large enterprises.

If that 60% statistic is true, even partially, then it begs the question: will these recent breaches in the point-of-sale supply chain lead to more shuttered doors in the future?

And will we hear those businesses’ stories if it does happen? Or will they just become another vague statistic that we all continue to reference?