Government officials continually warn about the threat of cyber attacks, with warnings stepping up in both frequency and severity recently. While most press reports about hacking risks concentrate on core infrastructures, such as aviation, energy and manufacturing, it would be unwise to assume that hackers have no interest in foodservice businesses.

While breaching a restaurant chain’s systems might not have the impact and wow factor that state-sponsored actors desire from causing a blackout or bringing a railway line to a halt, there’s a clear financial return from a successful attack. One only need think about how restaurants operate; there’s a constant succession of people making card transactions, adding up to many thousands of transactions per day for a U.S.-wide chain. Add in mobile apps, phone orders, and constantly evolving new ways to pay, and hackers have a tempting (and potentially lucrative) set of data to try to gain access to.

The Sonic Drive-In Breach

In October 2017, Sonic Drive-In confirmed news of a large-scale data breach. The breach had already been discussed on information security websites, along with the suggestion that details of cards that had been used in Sonic outlets were being offered for sale on the dark web.

Sonic was forced to go public about the breach, saying that it has affected “certain Sonic drive-in locations.” The firm seemed unable to specify which locations. Online articles and discussions about the breach suggest that it originated in the company’s point of sale systems.

It seems likely that investigating the issue must be far more complicated than other cases due to the franchise nature of Sonic’s business. Despite taking the damage-limiting step of paying for fraud detection and identity theft protection for affected customers, Sonic still suffered inevitable reputational damage, and its stocks took a hit on the markets. 

Other Examples

Sonic wasn’t the first food service business to be targeted by hackers and their malware, and it seems unlikely it will be the last. Over 2015-2016, Wendy’s experienced a similar hack that revealed credit card details. In that example, Wendy’s really suffered from the press coverage because after everything hit the headlines once, it all blew up again when it was discovered that the breach was far more extensive than originally thought, affecting considerably more people. The Wendy’s breach was another case that was made more complicated due to the franchise model.

Shoney’s and Chipotle are yet another two chains who’ve already been affected by similar attacks and data breaches, once again thought to originate in their electronic payment systems.

Being Prepared

Like all retail businesses, restaurants are required to ensure PCI DSS compliance. This is a set of standards formed by credit card companies in 2004 and governed by the Payment Card Industry Security Standards Council (PCI SSC). Comprised of a set of commonly known best security practices, it should go a long way towards protecting customer’s financial information and card details. None of the online commentaries on the breaches discussed above suggest that any of the chains were in breach of this. However, all restaurant businesses should obviously ensure that full compliance with PCI DSS is a given.

Beyond that, it’s down to IT teams to do their very best to patch systems and protect from malware—and from details of these attacks, it seems that POS systems should be a big priority.

Most importantly of all, restaurants shouldn’t be complacent. While cybercrime warnings may seem to focus on transport networks and utility companies, the hackers themselves know that there are rich pickings in the foodservice sector.

Paul Evans is a cyber security author, particularly interested in exploring vulnerabilities in various business sectors.
Outside Insights, Story