Panasonic Canada says all issues relating to a virus that struck its point of sales systems in a number of Tim Horton’s outlets a week ago “have been addressed.”
“We continue to actively monitor the situation and have a team on standby to work on any new cases that may arise,” the company said Wednesday in a statement to IT World Canada. “Our current focus is now on addressing any outstanding tickets related to course-of-business technical support needs.”
The company didn’t detail how many outlets were struck. It said the source of the infection is still under investigation with Tim Horton’s parent Restaurant Brands International (RBI).
It is believed the problem started around Feb. 19.
RBI hasn’t responded to two email requests for comment. However, it told the Globe and Mail that around Feb. 26 fewer than 100 restaurants were currently affected to some degree, and that less than 10. were unable to operate any of their POS systems. An RBI email sent to franchisee owners obtained by the Globe said that as of Feb. 23 some 350 outlets were impacted.
RBI told the Globe that no customer data or credit card information was involved.
A representative of Great White North Franchisee Association, which represents many Tim Horton’s franchisee owners, refused to comment.
According to the Globe, the malware struck hundreds of outlets across the country, forcing some to close intermittently or shut the drive-through service of outlets.
While the franchisee association refuses to comment, the Globe quoted a letter the association’s law firm sent to RBI outlining store closures, lost sales and product spoilage.
The POS system affected was made by Quickservice Technologies Inc. (QST) of St. Catharines, Ont., which Panasonic Canada bought in 2016. The division makes a wide variety of security and point of sale software, hardware, digital surveillance systems and integration services for quick service restaurants, including the iQTouch application.
In its email to IT World Canada, Panasonic said “We worked closely with Tim Hortons franchisees around the clock to mitigate the complex issues impacting the Point of Sale terminals. We quickly trained and doubled our QST support staff to assist each franchisee onsite at their store and were able to resolve the critical issues within a short period of time.”
“At this time, all of the terminal issues related to the POS virus have been addressed. We continue to actively monitor the situation and have a team on standby to work on any new cases that may arise. Our current focus is now on addressing any outstanding tickets related to course-of-business technical support needs.
“Panasonic has been a committed partner to Tim Hortons restaurants for over 17 years and our focus has always been on providing quality service and technologies to the franchisees and their customers.
“We will continue to work with RBI and franchise owners to ensure their customers are no longer impacted by this issue. A thorough investigation is underway to understand this issue and until this is completed we aren’t in a position to comment further.
POS systems are targeted by criminals because of the credit/debit card data that runs through them. One of the most recent attacks was discovered in the U.S. by the parent company of the Appleby’s restaurant chain, which said guests’ names, credit or debit card numbers, expiration dates and card verification codes could have been exposed.
While POS systems encrypt data in transit, some are open to attack if access can be gained through the system’s memory, using so-called RAM scraping. That’s been the attack method in many breaches. including the infamous Target breach. It is believed, however, that it isn’t easy to access POS data used here because the overwhelming number of Canadian customers use chip-encoded cards inserted in the front of a reader or are read wirelessly. Vulnerable customers swipe their cards, which exposes data held on the less secure magnetic stripe on the back of the card.
Cards with EMV chips alone aren’t immune to POS malware, one vendor told IT World Canada in 2016. A system must also have end-to-end encryption for protection, he said. It is also vital for IT departments to install operating system updates as soon as possible, and ensure strong passwords are used to protect the systems.
It takes effort to secure POS systems, says John Pescatore of the SANS Institute, an IT security training and certification organization. “Generally they’re bought as an appliance,” he said in an interview, and security isn’t a big part of the purchasing criteria. Often, he added, the buyer’s IT department isn’t involved in scrutinizing the deal. But because it’s common for systems to run on embedded Windows or Linux operating systems updates regularly need to be installed.
It’s important that buyers have security in mind when buying POS systems, Pescatore said. It’s also vital that if possible the POS system should be segregated from the operational network. More than once have attackers gained access to POS systems through the corporate network. Also, look for systems that refuse to allow third-party apps to run on the POS network through whitelisting.
For more on securing POS systems see these white papers from Trend Micro and Symantec.
