Wendy’s founder Dave Thomas knew what mattered. He knew that Wendy’s beef had to be fresh. He knew that his own quirky advertising image had to be endearing. Above all, he knew how critical it was for consumers to view Wendy’s as one step above the rest of fast food.
That’s part of what makes news of the recent Wendy’s credit card breach, which possibly affected thousands of customers, so difficult for the company. Thomas was a perfectionist. To him, image was everything. He wanted his brand image to be spotless.
So the question is: What happens to the very public image of a company like Wendy’s, Dairy Queen, or Jimmy John’s when the data security of its best customers is compromised with a breach?
The answer: It gets pretty beaten up.
The media adores data-breach stories, and once a data breach—no matter how small—hits a national chain, the example is cited for years as a nightmare scenario.
Wendy’s officials declined to discuss their latest breach. “Until this investigation is completed, it is difficult to determine with certainty the nature or scope,” says spokesman Bob Bertini in an email.
Wendy’s isn’t the first quick-serve company to suffer a data breach, nor will it be the last. In the first nine months of 2014, there were 904 million records compromised in 1,922 confirmed incidents for businesses accepting credit and debit cards in the U.S., reports Heartland Payment Systems, a major payment-processing provider.
Worse yet, the fast-food industry will be seeing more than its share of future data breaches, projects Jennifer Woods, an attorney at the law firm Clark Hill. “We’re seeing fast food as the most well publicized because they are some of the easier targets,” she says.
The fact is, because restaurants process so many credit cards—and have so much point-of-sale equipment—they are data-thief magnets.
So, what’s a restaurant to do to protect itself? Here is Woods’ list of the most important steps to take:
Be aware. Pay attention to news stories and see if there are common points of weakness among retailers. Then see if you might share any of those weaknesses.
Be proactive. Don’t wait for the data thief to strike. You must actively police your POS systems to make sure no one is tampering with them. It’s probably best to have a third-party payment card specialist who understands security breaches review your system.
Update your system. It’s critical to constantly update your system to the newest technologies.
Don’t doddle. If something seems even remotely suspicious, don’t hesitate to have security experts investigate. The longer you wait, the greater the damage.
Protect everything. It’s not just credit card numbers that are craved by data thieves. So is other data, such as the social security numbers of employees.
Limit the data you keep. Since information has a nasty tendency to leak out, the less you store, the better. Don’t store any data that you don’t absolutely need.
Let the experts do it. In most cases, it’s usually best to hire a third-party card processor to be responsible for your information.
In the end, it’s all about establishing a company threshold of taking “reasonable” data security measures to protect your customers and employees, Woods says.
Data theft is going to get a lot worse before it gets better. The most common breach is hacking into cash registers and POS systems at restaurant locations and planting software that surreptitiously records magnetic strip data when cards are swiped through the machines, according to Heartland.
The costs to consumers—and retailers—is growing. The average cost for each lost or stolen record jumped from $188 in 2013 to $201 in 2014, reports a Ponemon Institute study. The total average cost to the organizations involved grew from $5.4 million to $5.9 million during the same period.
“It’s a virtual certainty that everyone will suffer a data breach,” Woods says. “It’s just a question of when they find out about it.”
Even then, she says, smart preparation can limit the damage.