Cyber Incident Victim: Lightspeed
Date:
Sep 2016
Location:
Australia
Summary
A point-of-sale vendor experienced unauthorized access to its central database containing sales records, product and customer information, encrypted passwords, API keys, and electronic signatures for merchants using Customer Facing Display systems. While the company confirmed the database compromise, it found no evidence of specific data exfiltration or misuse. Passwords created or reset after a recent encryption upgrade employed advanced protection, though older credentials' security status remained unclear. The vendor emphasized that externally stored cryptographic keys prevented exposure of payment data. Following the incident, the organization implemented stricter access controls, applied security patches, and restricted infrastructure access. Affected merchants raised concerns about potential operational impacts due to API key exposure and questioned the adequacy of prior security practices given newly introduced safeguards.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2016, Lightspeed, a point-of-sale vendor servicing over 38,000 customers processing $12 billion annually, notified users of a breach involving unauthorized access to a central database. The compromised system contained sales records, product and customer information, encrypted passwords, API keys, and—for merchants using the Customer Facing Display feature—consumer electronic signatures. Lightspeed’s notification email, disseminated around September 2, 2016, stated the data was accessed but emphasized no evidence confirmed theft or misuse of specific records, including personal information. The company clarified that passwords created or reset after January 2015 were secured with unspecified "advanced encryption technology," though the protection status of older passwords remained undetermined. Lightspeed asserted it did not store sensitive credit card data internally and maintained payment crypto keys externally, concluding payment information was not exposed. In response to the incident, the vendor implemented "strict new access policies" restricting personnel access to production infrastructure and sensitive data, applied a "new set of security patches," and enhanced overall security controls. The breach notification did not disclose the incident’s date or duration, and Lightspeed declined to provide additional public commentary when contacted by media.
A US-based bookstore system administrator and Lightspeed customer raised concerns about the breach’s implications, questioning whether the newly introduced access controls and patches indicated prior security deficiencies, such as overly permissive access or delayed patching. He expressed confusion over Lightspeed’s request—rather than enforced requirement—for password resets and noted uncertainty regarding how to update payment processor credentials, which he had not originally configured himself. The administrator speculated that attackers could exploit stolen Lightspeed data to disrupt his business by destroying sales and accounting reports, highlighting the dual role of POS data as critical financial records for many small enterprises. The incident occurred amid a broader trend of financially motivated attacks targeting POS vendors, including malware campaigns aimed at compromising client payment systems. Lightspeed’s breach underscored operational risks for merchants reliant on centralized vendor platforms, though the full scope of data exposure and attacker methodologies remained unconfirmed by the vendor.