Oracle hack could impact payments for hundreds of thousands of businesses

There's some potentially bad news for a lot of Oracle customers surfacing today, as it seems the company has fallen victim to a data breach. According to KrebsOnSecurity, the breach affected Oracle's MICROS division, which provides point-of-sale systems and support for many businesses around the world. In fact, the number of locations using MICROS around the world comes in at more than 330,000, spread across 180 different countries.

That makes MICROS one of the most used point-of-sale systems in the world. According to the KrebsOnSecurity report, the breach was considered to be small-scale at first, with anonymous sources claiming that what likely occurred was a single system became infected by malware before spreading that infection to other systems on Oracle's network.

Though Oracle is said to still be investigating the scale of the attack, here's the kicker about this report: a pair of unnamed sources told KrebsOnSecurity that the MICROS customer support portal was seen communicating with a server belonging to the Russain Carbanak Gang, which allegedly has a long and storied history with stealing money through attacks like these.

When discussing the systems that eventually became infected, Krebs' sources mentioned the ticketing system Oracle uses to help MICROS customers troubleshoot problems. These sources also claim that the hackers placed malicious code on the support portal itself, potentially making off with client usernames and passwords.

None of that has been confirmed yet, but Krebs said that Oracle didn't comment on the rumors directly, and we found the same when we got in touch with the company. Instead, Oracle provided a copy of the letter it sent its MICROS clients:

Dear MICROS Customer,

Oracle Security has detected and addressed malicious code in certain legacy MICROS systems. Oracle's Corporate network and Oracle's other cloud and service offerings were not impacted by this code. Payment card data is encrypted both at rest and in transit in the MICROS hosted environment.

To prevent a recurrence, Oracle implemented additional security measures for the legacy MICROS systems. Consistent with standard security remediation protocols, Oracle is requiring MICROS customers to change the passwords for all MICROS accounts. Information for customers on how to change your passwords has been published on My Oracle Support (Doc ID 2165744.1). We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.

Please refer to My Oracle Support (Doc ID 2165744.1) and the attached FAQs for additional information. You may also contact MICROS Support at We apologize for any inconvenience this may cause you.

The Oracle Hospitality & Retail Team

As the Krebs report points out, the precautions taken here could be an attempt to make sure that whoever is behind the attack can't eventually make their way into the individual point-of-sale systems used by MICROS clients. If that were to happen, the attackers could potentially place malware designed to collect credit card information onto those systems, making off with details of each credit card swiped at the point-of-sale station.

For now, though, we only have confirmation that the malicious code was detected and dealt with. Beyond that, we'll have to wait for further news on the matter. The unnamed sources Krebs spoke to and Oracle seem to be singing different songs, though, which makes this report one to watch. Stay tuned.

SOURCE: KrebsOnSecurity