Cyber Incident Victim: Oracle MICROS
Date:
Jul 2016
Location:
Russia
Summary
A Russian cybercrime group breached Oracle's Micros point-of-sale division, compromising hundreds of systems including a customer support portal used by global retailers and hospitality firms. Attackers deployed malicious code on the portal to steal customer credentials, prompting a forced password reset and investigation revealing over 700 infected systems. The intrusion raised concerns that compromised support credentials could enable remote installation of card-stealing malware on customer point-of-sale devices, though Oracle emphasized its hosted environments encrypted payment data and stated corporate networks were unaffected. The incident highlighted risks to on-premises payment systems managed via the compromised portal.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2016, Oracle Corporation confirmed a cybersecurity breach affecting its MICROS point-of-sale division after KrebsOnSecurity reported unauthorized access by a Russian cybercrime group linked to the Carbanak Gang. The intrusion involved malicious code detected in legacy MICROS systems, prompting Oracle to mandate password resets for all customers using the MICROS online support portal. Initial internal assessments suggested limited compromise, but further investigation revealed over 700 infected systems within Oracle’s retail division network. The breach reportedly originated from a single compromised device that spread to other systems, including a customer support ticketing portal used for remote troubleshooting of MICROS point-of-sale terminals. Attackers implanted malware on this portal to harvest login credentials when customers accessed the support website. Oracle’s public statement acknowledged the incident but emphasized that its corporate network, cloud services, and encrypted payment card data within MICROS-hosted environments remained unaffected.
The compromise of MICROS systems—used at over 330,000 cash registers across retail, hospitality, and food service sectors—raised concerns about secondary risks to customer-owned on-premises devices. Oracle advised clients to reset passwords for accounts used by MICROS representatives to access local point-of-sale systems, indicating potential pathways for attackers to deploy card-stealing malware. Security experts briefed on the incident noted ties between the MICROS support portal and Carbanak infrastructure, a group implicated in over $1 billion in thefts from financial and retail targets. The breach timeline remained unclear, though Oracle began notifying customers in late July 2016 after internal detection efforts expanded with updated security tools. While Oracle asserted encryption safeguards for payment data, analysts highlighted risks to physical point-of-sale terminals if attackers leveraged stolen credentials for remote access—a method previously linked to major retail breaches. The incident occurred amid Oracle’s strategic push into cloud services, including a $9 billion acquisition of NetSuite announced weeks later.