DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Risky business: Remote Desktop opened the door for Aloha hackers

Posted on November 25, 2009 by Dissent

When nine restaurants in Louisiana and Mississippi filed lawsuits against Radiant Systems and its Louisiana distributor, they may have represented only the tip of a substantial iceberg of hacks affecting restaurants that used Radiant Systems’ Aloha POS system.  It seems that the scope of the problem is first coming to the public’s attention approximately one and a half years after the hacking incidents started.

Breaches in Other Parts of the Country

During a two-month period in late 2008, a Spicy Pickle franchise in Michigan was hacked and 150 customers’ card data were stolen and misused. The franchise closed in June 2009, reportedly unable to recover from the loss of customer confidence after the breach. At around the same time in 2008, Ted’s Cafe Escondido in Oklahoma also reported being hacked. Although both breaches were reported at the time on PogoWasRight.org, the POS system they were using was not reported in the media.  Unbeknownst to me at the time,  a forum member on FoodService.com commented on both breaches by noting both restaurants used the Aloha system. There was no indication in the forum member’s report, however, as to whether the restaurants  had removed any remote access software that was suspected of creating the vulnerability to hacks or whether the restaurants had used commercial grade firewalls.

Hacks Started in Early 2008

Also flying completely under my radar at the time, in December 2008, WKZO News reported this about the Spicy Pickle hack:

Co-owner Terry Henderson says the FBI’s been investigating fraud cases across the country for seven months and they were just the latest victims.

“There’s a similar thread to all of it and it keeps leading to one particular software manufacturer,” says Henderson, adding that he’s not at liberty to say which manufacturer that is. “It’s a popular software that’s used by thousands of restaurants throughout the country.”

Continuing to work backwards to see what else I had missed, I found that in August 2008, WAFB and the Associated Press had reported that a rash of hacks involving Louisiana restaurants began in March 2008. And although Aloha’s name did not appear in any media reports on affected restaurants, when the Secret Service met with Louisiana restauranteurs in August 2008, they may have specifically mentioned the Aloha system. Another poster on the FoodServices.com forum wrote on August 19, 2008:

I spoke to someone who attended the meeting outlined in the Associated Press article. The meeting was set up by the Lousiana (sic) Restaurant Association and was attended by the Secret Service agent on the case, a US Attorney and a represtative (sic) from Visa. During the meeting it was presented that the 15 breaches occured (sic) were all Aloha POS systems. It was stated that he hackers were able to breach the systems as the Remote support software were all using the same User Name and Password (this is against PCI requirements). The hackers installed a “sniffer” program that would capture credit card data on the Local LAN (ie private network).

So it seems as if suspicions about Aloha were being raised over a year ago but were not specifically mentioned in media coverage.

Radiant’s Response

In August 2008, within days of the Secret Service and Visa representatives meeting with Louisiana restauranteurs, Aloha sent a data security alert to its customers. The alert said, in part:

Radiant Systems has been working with Visa on an emerging issue that could cause POS systems to be compromised. The specific vulnerability is related to Remote Desktop being enabled on BOH servers, POS terminals, and routers, which may allow intruders to gain access to POS systems. Once intruders gain access they could install malware such as packet sniffers to capture card holder data. Remote access to POS systems is critical to supporting sites, but can also provide a method for unauthorized users to obtain access to systems and potentially sensitive credit card data. Configuring and managing access to POS systems is extremely important.

The alert then provided specific steps Aloha clients should take to configure their systems securely including:

  • Disable Remote Desktop on routers, BOH servers, and POS terminals, if this remote access tool is not used to
    support the site.
  • Use Command Center as the single means of remote access for Aloha POS systems to ensure the highest level of site security. Command Center has a number of inherent features that significantly increase your ability to support sites, and also significantly decrease the risks associated with accessing sites.

Alternative measures were described for those who chose to leave remote access tools enabled.

Their alert may well have prevented more restaurants from being hacked, but may be small comfort to the allegedly many restaurants who had already suffered hacks resulting in lost business, fines by Visa and Mastercard, and the cost of forensic audits and IT consultants.  Whether the juries will agree with the restaurant-plaintiffs or with Radiant Systems remains to be seen, but it would seem that some jurors are in for a real earful on security.

Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← AU: Private files at risk of exposure
TX: Hospital workers fired for snooping →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.