A company that provides cash register software to a Woolworths-owned hotel group has been hacked by Ukrainian cyber-criminals, with sensitive client details put up for sale on the internet.
H&L Australia, whose clients include Woolworths-owned Australian Leisure and Hospitality (ALH) Group, provide point-of-sale (POS) systems for more than 300 restaurants and liquor stores as well as pubs and clubs.
H&L confirmed to the ABC that a server containing marketing material and its client list, known as a Customer Relationship Management system, had been hacked but said no financial details had been stolen.
“It’s no credit card or bank details,” chief executive Burt Admiraal said.
“We don’t control or manage any of our [clients’] data.
“It’s names and address of our client base, current and potential clients.
“No other servers were compromised in any way.”
He said the hackers had found a weak link in their system and the company had now shut down the affected server.
Mr Admiraal said the hack would have no impact on their cash register software in pubs and hotels.
“We’ve been communicating with all of our clients now we’ve got a clear understanding of what our exposure was,” he said.
“There is a chance that clients may receive indiscriminate spam but we see this as the only annoyance and inconvenience that may occur.
“If they get hit with any spam we’ve asked they pass information back to us.”
Emergency response team investigating
H&L first learned of the hack through the Federal Government’s Computer Emergency Response Team (CERT) following a tip-off from the UK media outlet The Register.
Initial reports suggested the breach was much larger but H&L said no credit card, consumer details, trading information or consumer loyalty data was stored on their systems.
“We’re working with the federal police to isolate the hackers,” Mr Admiraal said.
“From the information provided by CERT, the hackers were targeting financial institutions and POS companies. We suspect [they were trying] to gain credit card information.
“We have worked with CERT to ensure that we have taken all actions possible to ensure that the risk is mitigated.
“Obviously we have changed all access passwords, completed the task of data transfer to the new server and closed down the compromised server and followed our risk management plan.”
Mr Admiraal said the hack should not be a reflection on their POS software.
“There’s no connection at all between the two,” he said.
ALH Group — a key client of H&L’s — said there was “no link or risk to either ALH or Woolworths systems”.
“There has been no breach of any ALH customer data,” ALH’s head of regulatory and corporate affairs David Curry said.
“H&L do not store any ALH customer credit card information or customer data.”
When asked if he still had confidence in the product, Mr Curry declined to comment.