The recent ranswomware attack on the big payments processor TSYS could portend worse to come for the payments business as cyber criminals seek vulnerabilities in the industry and carry out new tactics to squeeze out ransom payments from their victims.
More attacks on credit and debit processors are “absolutely” coming, says Julie Conroy, research director at Aite Group, a Boston-based consultancy. “It’s definitely an increasing attack vector,” for ransomware, she adds.
While TSYS, which became part of Global Payments Inc. last year, is a major processor in its own right, smaller payments firms could be especially at risk to sustain these attacks, in which the invaders use encryption technology to lock up the victim firm’s data and then demand a ransom—typically in Bitcoin—to deliver the decryption key.
In the TSYS incident, the attack was specifically directed at Cayan, a payments company TSYS bought early in 2018 for just over $1 billion. “We’re going to see attacks poking and prodding at startups that get acquired,” warns Conroy.
According to a report by the online site KrebsOnSecurity, which first disclosed the TSYS incident late last week, the attack was launched earlier this month and involved a relatively new tactic in which the criminals posted online some of the data they accessed and threatened to release more if not paid. The site, which reported the attack was specifically directed at Cayan, said it “did not affect systems that handle payment card processing,” citing a statement Krebs received from TSYS. The company did not respond to a request for comment from Digital Transactions News.
“We experienced a ransomware attack involving systems that support certain corporate back office functions of a legacy TSYS merchant business,” the TSYS statement said, as quoted by the Krebs article. “We immediately contained the suspicious activity and the business is operating normally.”
A walling off of payments data is what would be expected from any company following the requirements set by the PCI Security Standards Council data-security standard, Conroy says. “You would expect [TSYS] would be exercising those PCI best practices,” she adds. Other experts agree. “I would imagine that if the ransomware gang did get any payment data that it was minimal, aged, and/or was a remnant of undiscovered and unsecured files from an acquired company’s systems,” says Al Pascual, chief operating officer and co-founder of security firm Breach Clarity.
But the incident shows how ransomware criminals are increasingly willing to post samples of the data they’ve accessed in an effort to force their victims to pay up. “We’ve seen that as an increasing tactic over the last nine months or so,” says Conroy, who adds the move can be effective in goading companies that can’t afford the legal liability involved in a data leak. “It ups the ante from a reputation point of view,” she says.