Cyber Incident Victim: Uniwell Corporation

In early August 2016, Uniwell Corporation was identified as one of five point-of-sale (PoS) system providers breached by a cybercrime group suspected of Russian origins, alongside Cin7, ECRS, Navy Zebra, and PAR Technology. The attackers targeted these vendors to exploit their role as suppliers to hundreds of thousands of retail businesses globally. According to cybersecurity firm Hold Security, which first uncovered the breaches, the hackers infiltrated the vendors’ servers to steal retail customers’ login credentials, intending to pivot to retailers’ PoS systems and access credit card data. The group’s methodology involved identifying vulnerabilities in the vendors’ web servers—such as a recently patched flaw in third-party Apache software exploited against ECRS—and deploying malicious code to harvest credentials. While the full scope of data theft remained unclear, Uniwell’s breach specifically involved its uniwell-americas.com web server, which hosted product manuals, installation documents, and brochures. Uniwell President Steve Mori confirmed no confidential data was compromised but mandated password resets for all users and announced plans to decommission the vulnerable server entirely. The company, which claimed over 500,000 PoS terminals deployed worldwide, shifted customer documentation access to more secure platforms. Collectively, the five breached vendors supplied over 1 million PoS systems, raising concerns about downstream risks to retailers, particularly given prior breaches at chains like Wendy’s and Hyatt linked to PoS compromises.

The incident was part of a broader campaign attributed to actors using Carbanak malware, a tool historically associated with high-value financial thefts totaling over $1 billion. Security researchers noted Carbanak was often deployed alongside Dridex malware, with the latter used for initial infections and Carbanak reserved for deeper intrusions into high-value targets. Alex Holden of Hold Security reported that the Uniwell attackers had established backdoors on compromised servers and, in some cases, sold access to other criminals. While Oracle’s MICROS division (breached earlier that week) and three other vendors confirmed varying levels of intrusion, Navy Zebra’s investigation remained ongoing at the time of reporting. ECRS and Cin7 removed malicious code from their systems, notified law enforcement, and enforced password resets, with ECRS confirming potential theft of non-sensitive contact information. PAR Technology downplayed the incident, calling it a “non-material event” affecting a segregated server. The attacks highlighted a strategic shift by cybercriminals toward compromising PoS vendors as gateways to retail networks, leveraging vendor support systems to gain privileged access to merchant environments. Forensic evidence suggested ties to the Carbanak group’s 2014 attack on Staples, which compromised 1.16 million credit cards, though researchers cautioned multiple groups might be using the malware. No credit card data exfiltration was confirmed from the vendors themselves, but the breaches underscored systemic vulnerabilities in third-party PoS supply chains.