Sqrrl Blog

Nov 24, 2015 8:30:00 AM

Cyber Incident Matrix: Service Systems Associates (SSA)

Complexity Score: 2
Severity Score: 3
How did we get these numbers?

Incident Summary

Overview:

On October 13th, 2015, Service Systems Associates announced that it had discovered a breach of its point-of-sale systems that resulted in the loss of about 60,000 individuals’ credit card information. The data breach occurred in 10 client locations across the United States. SSA only recognized the breach months after its initialization, and did not release a report until almost four months after the breach.

Sqrrl_Cyber_Incident_Matrix_1-1.png OPM Breach IRS Breach Anthem Breach ATM hacks Kaspersky hack Insider Trading hacks Ashley Madison Breach Penn State SSA Breach

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated

Zero-Days Used

Time Undetected

Advanced TTPs

Total

1

0

0

0

1

0

2

The SSA attackers planned and executed a standard point-of-sale (POS) security breach, trying to exfiltrate customers’ payment data in ten different locations across the United States. SSA reports that the hackers used malware to infiltrate the system. Although this malware is widely available in the underground marketplace, the time to plan the attack, including finding the target and navigating the corporate network, takes non-trivial time (+1 Plan Time). After this planning phase, the security breach recorded payment cards for two months, and was not noticed for a third month (+1 Time Undetected).

Despite the pedestrian nature of this security breach, it reveals the lack of security in current POS systems. The United States is behind the curve in point to point encryption because of the widespread use of magnetic strip payment card readers. The magnetic strip reader briefly stores the payment card information in the terminal’s memory, allowing a window for malware to copy the card data. This is a common technique called memory scraping, which was likely leveraged by the SSA hackers. This is not an advanced TTP, but it remains effective while magnetic card readers are common in the United States.

Since the details on the SSA breach remain vague, this post will be updated as further information on the complexity of the breach come to light.

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact

Total

3

0

0

0

3

With about 60,000 payment cards exfiltrated, with each one selling for an estimated $130, the projected value of the compromised data is $7.8 million. Additionally, SSA’s make-good of one year of free monitoring service, estimated to cost $150 per plan, estimates SSA’s cost of remediation as $9 million. (+3 Incident Costs) In the reports of the breach thus far, there is no evidence to indicate a higher severity score in other categories.

Download the eBook

Topics: Cybersecurity, Data Breach, Cyber Incident Matrix