Cyber Incident Victim: PAR Technology Corporation
Date:
Aug 2016
Location:
United States of America
Summary
A Russian cybercrime group breached multiple point-of-sale system providers, including PAR Technology, by exploiting vulnerabilities in vendor servers to steal customer credentials and gain remote access to retailers' systems, potentially compromising credit card data. The compromised server at PAR was described as non-material and lacking production data, with the company asserting confidence in its security protocols despite ongoing intrusion attempts. The attackers, linked to Carbanak malware and possibly collaborating with Dridex operators, targeted support infrastructures to infiltrate merchant networks at scale, raising concerns about widespread retail sector exposure. Other affected vendors confirmed varying degrees of unauthorized access, including malware placement and credential theft, though specific data impacts remained unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2016, PAR Technology Corporation was among five point-of-sale (PoS) system providers breached by a cybercrime group suspected of Russian origins, according to disclosures by cybersecurity firm Hold Security. The attackers targeted PoS vendors by exploiting vulnerabilities in their servers to steal customer credentials, aiming to gain remote access to retailers' systems and potentially harvest credit card data. This campaign followed a similar breach at Oracle's MICROS division, which served 330,000 businesses. The hackers demonstrated access to PAR's systems by providing evidence of compromised credentials, though the company characterized the incident as involving a non-material server that contained no production data. PAR's vice president of marketing, Kevin Jaskolka, stated the intrusion was routine for the industry and emphasized confidence in existing security measures, indicating no operational impact or confirmed data theft.
The broader attack wave impacted vendors collectively supplying over 1 million PoS terminals globally, raising concerns about downstream risks to retailers. While ECRS and Cin7 confirmed malware infections on customer portals and databases, PAR maintained its breach was limited to non-critical systems. No evidence suggested PAR's software distribution channels were compromised or that attackers penetrated merchant networks through their infrastructure. The company did not disclose remediation steps beyond standard security protocols, contrasting with peers like Uniwell, which planned to decommission vulnerable web servers. Security researcher Alex Holden noted the pattern reflected a strategic shift among hackers toward targeting PoS vendors as gateways to retail networks, with compromised support credentials enabling elevated access. The incidents were linked to Carbanak malware variants historically associated with large-scale financial theft, though attribution remained uncertain due to overlapping usage by multiple threat groups.