The cyber attack on Oracle that affected more than 700 systems and forced the company to admit that it had to remove "malicious code" from MICROS retail system software, may also have compromised the credit and debit card details of millions of Americans.
The warning comes from Alexander Polyakov, co-founder and chief technology officer, and Dmitry Chastukhin, lead SAP security analyst, at ERPScan, which focuses purely on enterprise resource planning software security.
US credit and debit cards are poorly secured, and it is possible that the attackers gained widespread access to card details, they suggest.
Furthermore, MICROS is one of the market leading retail systems vendors and almost every regularly used credit and debit card in the US could have been compromised.
"Taking into account that most point-of-sale [PoS] terminals in the US still accept cards without a chip, the attackers possibly got unlimited control over credit cards," Polyakov told V3.
"The most interesting feature is that the group attacked the vendor itself [Oracle] and with the access to the MICROS support portal they were able to infect all devices, for example, via vulnerabilities in these devices, thereby breaching thousands of retail networks.
"We cannot say exactly what vulnerability was exploited by the hackers, but it is worth mentioning that in July 2016 Oracle released two patches for vulnerabilities in MICROS and several in other Oracle retail applications."
Oracle fixed a number of other vulnerabilities found in MICROS PoS (CVE-2016-0684, CVE-2016-3429, CVE-2016-0469) in April.
"The question of how many vulnerabilities in MICROS PoS are undiscovered remains open. However, the fact that MICROS Systems was purchased by Oracle just recently can also affect the code quality of this product," added Chastukhin.
The number of attacks using vulnerabilities in industry-specific solutions is also growing, he warned.
"It relates not only to the retail industry, but to oil and gas, manufacturing and many others. Unfortunately, most incidents of this kind do not immediately become publicly known as the attack vectors are very specific," he said.
The cost of the Oracle breach will almost certainly exceed that of the attack on US retail chain Target in 2014 which cost the firm some $200m.
IBM software case reminiscent of TSMC trade secrets theft claim
iPhone 8 specs, release date, price, features, basically everything! But will it have a curved display?
CISO pay boom as security become a boardroom concern