Quick Thoughts on the Point of Sale Security Fail Lawsuit
Let the games begin.
It seems that Radiant Systems, a point of sale terminal company, and Computer World, the company that sold and maintained the Radiant system, are in a bit of a pickle. Seven restaurants are suing them for producing insecure systems that led to security breaches, which led to fines for the breached companies, chargebacks, card replacement costs, and investigative costs. These are real costs, people, none of that silly “lost business and reputation” garbage.
The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.
Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.
The breaches seemed to result from two failures – one by Radiant (who makes the system), and one by Computer World (who installed and maintained it).
- The Radiant system stored magnetic track data unencrypted, a violation of PCI standards.
- Computer World enabled remote access for the system (the control server on premise) using a default username and password.
While I’ve railed against PCI at times, this is an example of how the system can work. By defining a baseline that can be used in civil cases, it really does force the PoS vendors to improve security. This is peripheral to the intent and function of PCI, but beneficial nonetheless. This case also highlights how these issues can affect smaller businesses. If you read the source article, you can feel the anger of the merchants at the system and costs thrust on them by the card companies. Keep in mind, they are already pissed since they have to pay 2-5% on every transaction so you can get your airline miles, fake diamond bracelets, and cheap gift cards.
The quote from the vendor is priceless, and if the accusations in the lawsuit are even close to accurate, totally baseless:
“What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry,” Paul Langenbahn, president of Radiant’s hospitality division, told the Atlanta Journal-Constitution. “We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Maybe they can go join a certain ex-governor from Illinois on the next season of The Celebrity Apprentice, since they are reading from the same playbook.
There are a few lessons in this situation:
- The lines have moved, and PCI now affects civil liability and government regulation.
- PCI compliance, and Internet-based cardholder security, now affect even small merchants, even those without an Internet presence.
- We have a growing body of direct loss measurements (time to revise my Data Breach Costs model).
- We are seeing product liability in action… by the courts, not legislation.
- As with many other breaches, following the most basic security principles could have prevented these.
I think this last quote sums up the merchant side perfectly:
“Radiant just basically hung us out to dry,” he says. “It’s quite obvious to me that they’re at fault… . When you buy a system for $20,000, you feel like you’re getting a state-of-the-art sytem. Then three to four months after I bought the sytem I’m hacked into.”