Under Siege: Cybercriminals Target C-Stores

Understand the vulnerabilities that make the convenience retailing industry a prime target for data attacks. 

February 24, 2020

This is the first of a three-part NACS Daily series. Today: Attention

By Jerry Soverinsky

ALEXANDRIA, Va.—Convenience stores are in the news, and for unenviable reasons. A recent spate of data breaches has led to the theft of credit and debit card information from millions of customers, while infiltrating critical operating systems for convenience retailers.

It’s no understatement that convenience stores are under attack. To help you protect your company and customers, NACS begins a three-part Daily series to address attention, prevention and remediation.

“Attacks Targeting Point-of-Sale at Fuel Dispenser Merchants,” warned a November 2019 Visa Security Alert, notifying merchants of increased efforts by cybercriminals to target fuel dispenser merchants.

“It is important to note that [the attacks] differ significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network,” Visa continued.

While NACS has addressed skimming prevention best practices in NACS Daily and NACS Magazine, (see our Skimming and Payments Security topic page at convenience.org for news and resources), these POS attacks are an evolving threat that requires an all-hands-on-deck approach from fuel marketers to minimize vulnerabilities.

Indeed, earlier this month, York, Pa.-based Rutter’s announced that it had uncovered a data breach of customer information that may have begun as far back as August 2018. “… [A]n unauthorized actor may have accessed payment card data from cards used on point-of-sale (POS) devices at some fuel pumps and inside some of our convenience stores through malware installed on the payment processing systems.”

This came just two months after Wawa, Pa.-based Wawa announced that it discovered a data breach—up to nine months after “malware began running on in-store payment processing systems at potentially all Wawa locations,” the company said in a press release. The result? The compromise of more than 30 million payment cards, according to security news site Krebs on Security.

Why are petroleum retailers being targeted?

According to Mark Carl, CEO of ControlScan, cybercriminals are intensifying their efforts on the petroleum industry because they have discovered vulnerabilities. “As these attacks continue to deliver huge successes for the attackers, they will continue to target both upstream and downstream petroleum resources to look for additional value,” he said.

The effort is not new, according to Carl. “The threats began in earnest with the breach of a vendor back in early 2016, which likely produced a significant amount of technical knowledge that the attackers could use to perpetrate attacks. Given the success that they’ve seen, they’ve also gained significant knowledge of petroleum systems along the way.”

Coming Wednesday: Prevention

Jerry Soverinsky is a Chicago-based freelance writer and NACS Magazine contributing writer.