Cyber Incident Victim: C&K Systems
Date:
Feb 2013
Location:
United States of America
Summary
A breach at C&K Systems compromised point-of-sale systems managed through its Hosted Managed Services Environment, impacting at least three retailers including Goodwill Industries. Attackers deployed a customized variant of infostealer.rawpos malware, which scraped unencrypted credit card data from memory over an 18-month period before detection. The theft led to fraudulent transactions traced by financial institutions, though the total number of affected cards remains unknown. The intrusion method—exploiting POS system vulnerabilities to harvest pre-encryption card data—mirrored tactics used in contemporaneous attacks on other major retailers, though distinct malware variants suggested involvement by multiple criminal groups. C&K confirmed the breach was limited to its managed services platform and did not affect other clients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The breach impacting C&K Systems and its retail clients was first publicly disclosed in July 2014 when security researcher Brian Krebs linked a credit card data theft at Goodwill Industries to C&K's managed services. Forensic investigation later established that attackers intermittently accessed C&K's Hosted Managed Services Environment—a platform supporting point-of-sale (POS) systems for multiple retailers—between February 10, 2013, and August 14, 2014. This 18-month intrusion compromised payment systems for at least three retailers, including Goodwill, though the other two affected customers remained unidentified. Attackers deployed a customized variant of infostealer.rawpos malware designed to evade detection by security software until September 5, 2014. This memory-scraping malware intercepted unencrypted credit card data during transaction processing, capturing information as it passed through system memory after card swipes. The breach was ultimately detected not by C&K's monitoring but through financial institutions tracing fraudulent transactions back to Goodwill, with fraudulent activity concentrated at big-box retailers and grocery stores where stolen data was used to purchase easily monetized goods like gift cards.
The incident exposed vulnerabilities in third-party managed service providers, as C&K's compromised platform enabled prolonged access to multiple retailers' payment systems. While C&K confirmed the breach's containment by mid-August 2014 and asserted only three clients were affected, the total number of compromised payment cards remained unquantified. The attack methodology mirrored broader criminal patterns observed in contemporaneous breaches at Target, Home Depot, and Neiman Marcus, though those involved distinct BlackPOS malware variants, suggesting multiple organized groups targeting POS systems. Notably, the malware circumvented PCI-DSS compliance measures by harvesting data before encryption, highlighting systemic weaknesses in card-present transaction security. Financial impacts included direct fraud losses and operational costs for forensic investigations, though no specific monetary figures were disclosed. The breach timeline coincided with industry-wide delays in adopting EMV chip-and-PIN technology in the United States, a vulnerability explicitly cited in the incident context as enabling such fraud.