Payment solutions provider Verifone is reportedly investigating a breach of its internal computer networks dating back to mid-2016 that may have affected a number of businesses running its point-of-sale (POS) terminals.
According to a report by investigative journalist Brian Krebs, the payments giant said the extent of the breach is limited to its corporate network and did not impact its payment services network.
The San Jose, Calif.-based company is the leading manufacturer of payment card terminals in the United States, selling POS systems and services to a range of businesses, including retailers, gas stations and taxis.
In a blog post published Tuesday, Krebs said Verifone sent an “urgent” email to all company staff and contractors on January 23. A copy of the email was obtained by Krebs, which informed employees the company was investigating “an IT control matter” in its environment.
“As a precaution, we are taking two immediate steps to improve our controls,” wrote Horan. Employees were instructed to “make every effort” to change their passwords that day. The email also announced employees would no longer be able to install additional software onto their desktops or laptops.
In response to the breach reports, Verifone spokesman Andy Payment told Krebs the company learned of the “limited intrusion” earlier this year.
“In January 2017, Verifone’s information security team saw evidence of a limited cyber intrusion into our corporate network. Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.”
It is not yet clear how the company initially detected the incident. However, a source familiar with the matter told Krebs that the email alert sent on Jan. 23 was in response to a notification Verifone received from Visa and MasterCard just days before.
According to the source, Visa and MasterCard were notified that intruders appeared to have been inside Verifone’s network since mid-2016.
In a separate statement, Verifone later added that forensic information revealed the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame.
“We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational,” said Verafone.
For more information, read Krebs’ full report here.