Web Exclusive | June 2017 | By Kevin Hardy

Hackers Take Aim at Quick-Service Restaurants

From Chipotle to Arby's to Wendy's, cyber crime can strike any restaurant brand—and the effects could be devastating.
The average cost of responding to data breaches is rising. Chipotle
Bookmark/Search this post
Email this story Email this story
Printer-friendly versionPrinter-friendly version

All it takes is one.

When it comes to data security, a restaurant’s defense is only as good as the weakest link in the system, says Varun Badhwar, CEO and co-founder of RedLock, a cloud infrastructure security firm. And big, franchised restaurant chains offer many points of entry for would-be hackers. Plus, their fractured security systems could differ across regions, by individual franchisees or even store-by-store.

“When you have lots of employees and outlets, employees who don’t have a lot of experience in security and hundreds of devices, somebody’s just got to get into one. And that’s really what we see most of the time,” he says. “The attackers are looking for the weakest link. If they can send an email to an accounting analyst that clicks and attaches malware then who cares about everything else?”

READ MORE: Here are five key steps to managing restaurant theft and fraud from the experts.

Badhwar says many restaurants and retailers aren’t taking cyber security serious enough. And there are plenty of recent data breaches that speak to hackers’ interest in the quick-service restaurant space: In May, Chipotle announced that malware stole customer payment data for three weeks at many of its stores. The month before, news broke of credit card breaches at 150 Shoney’s restaurants. And Arby’s acknowledged in February that a breach affected more than 355,000 credit and debit cards, according to cybersecurity expert Brian Krebs.

Because of the unique structure of the franchisee model, quick-serve companies need to build in tangible rewards for partners who maintain formidable security protections and some sort of repercussions for those that don’t, Badhwar says.

“There needs to be a shared responsibility model,” he says. “At the end of the day, they’re small business owners. If there’s no incentive or consequence tied to them personally, it’s hard to see where they would be motivated to take it seriously.”

The average cost of responding to data breaches is rising, now topping $150 for each piece of compromised data, Badhwar says. And while preparation and security is key, he says restaurateurs should go one step further, building policies and plans to respond to possible breaches.

“You have to believe you are also going to be targeted,” Badhwar says, “and it’s not a matter of if, it’s a matter of when. So, proactively you need solutions.”

For restaurants, data security can mean implementing sophisticated technological infrastructures to guard against breaches. But they shouldn’t forget the basics, like training front-line employees, says Frank Picarello, COO of TeamLogic IT, a franchise network specializing in advanced technology solutions.

“We tend to want to orient ourselves around all the cool security tech, but at the end of the day the majority of breaches come from people making mistakes: opening emails they shouldn’t, not paying close attention to the credit card at the register, people not putting chip readers in place,” he says. “There’s this general naiveté around what security really means and thinking their role is to kind of secure data and devices and it’s really about securing businesses.”

With high turnover and numerous units, quick-service restaurants pose a unique security challenge, Picarello says. He suggests store managers tie cybersecurity into the training they already do: talk about it at monthly staff meetings or hold special sessions on how to spot a suspicious-looking card.

“If I had a quick-service restaurant, a McDonald’s franchise or whatever, I would on a regular basis get my employees together and let them know here are the patterns we’re seeing and here’s what you need to look for,” he says. “And equally important: here’s how you need to react to it. These are the steps to take. Most employees don’t get that, I would think. They don’t know what to look for.”

It’s in the best interest of franchisees and franchisors to double down on security, he says, because data breaches have consequences for individual stores and their global brands.

“I tell my neighbor I’m not going there again because the last two times I went there it was the last transaction on my card before my card number was stolen and used elsewhere,” he says. “Those things have implications and they have implications on a brand. Generally speaking, I think it’s a big deal and it’s getting bigger.”

Still, credit card breaches don’t inflict as much harm as those that compromise consumers’ Social Security numbers or other sensitive information, says Linn Freedman, chair of the data privacy and cybersecurity team at the Robinson & Cole LLP law firm. Most credit card breaches require shoppers to simply replace their existing cards, she said, a much more minor setback than a serious breach in the healthcare sphere that could lead to identity theft.

She recommends restaurants stay up to date with the transition to chip-and-PIN credit cards, which security experts widely regard as more secure than simple PIN transactions. And she says merchants should maintain PCI compliance—without it, card issuers can hold merchants liable for the costs of fraudulent purchases. But even those standards aren’t total safeguards.

“Does that make you immune from liability? No,” Freedman says. “Every time that there’s a retail or restaurant data breach, whether they’re PCI compliant or not, they get sued in a class action lawsuit these days. The plaintiff’s attorneys are suing every time there’s a data breach whether there’s harm to the consumer or not.”

Freedman says the restaurant industry is targeted just as frequently as retailers. Popular news coverage might make it seem like hackers favor the biggest brands like Target, Wendy’s, and Chipotle. But Freedman says criminals don’t distinguish between big chains and mom and pop stores.

“It’s happening to regional and smaller sandwich and pizza shops, too,” she says. “Anytime anyone has a credit or debit card payment system, it’s happening to them. You’re just hearing about the big chains because they’re newsworthy.”

While Freedman maintains that U.S. retailers and restaurant companies are often outmatched by sophisticated cyber criminals, she does offer some good news: law enforcement agencies are getting better at investigating and prosecuting these crimes. Historically, some retailers were hesitant to share information about breaches with federal investigators, Freedman says, because they feared their internal information could be turned over to government regulators. But the agencies that investigate such crimes—the Federal Bureau of Investigations, the Secret Service, and the Department of Justice—have started to treat merchants more like victims, keeping their internal data separated from the watchful eye of regulators. 

“Now that companies can trust them to help keep their information confidential, companies are more willing to share that information with the government,” Freedman says. “And as such, we’re starting to see the government get more information about the hackers and we’re starting to see some significant prosecutions of these well-known hacking syndicates by the Department of Justice. I’ve been pleased with the public-private information sharing.”