In March, Chick-fil-A announced that a forensic investigation found that a cybersecurity breach compromised its mobile app. More than 71,000 mobile app users were affected, resulting in the exposure of personally identifiable and sensitive data that included names, email addresses, phone numbers, and banking information.

“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials obtained from a third-party source. Based on our investigation, we determined on February 12, 2023 that the unauthorized parties subsequently accessed information in your Chick-fil-A One account.”

With an increasing number of restaurants relying on mobile apps for orders, payments, customer rewards, promotions, and menu updates, mobile apps have become a vital aspect of the industry. In fact, Lavu finds that mobile represents 60 percent of all digital restaurant orders. Additionally, a HungerRush survey found some 79 percent of consumers expect to use technology to place orders at casual restaurants. 

Despite the value of quick-service restaurant mobile apps, many lack adequate security and privacy measures needed to safeguard user data. As more brands build and update mobile apps to support their customers, business leaders must recognize the risk of mobile app security and privacy violations. Restaurants and other consumer businesses should take extra steps to secure their mobile apps to grow sales, retain customer trust and maintain a positive image. 

The Consequences of Mobile App Security and Privacy Issues 

Over the last decade, many popular restaurants have experienced the impact of mobile app security and privacy issues:

• Canadian coffee company Tim Hortons experienced issues when government authorities discovered the company secretly tracked users without their consent. 
• A security issue within the McDonald’s mobile app allowed hackers to steal email addresses, phone numbers and delivery addresses for customers within South Korea and Taiwan. 
• Dunkin’ Donuts faced scrutiny for twice failing to notify customers about a mobile app security issue that allowed unauthorized individuals to access their accounts.

 

These examples demonstrate that even reputable mobile apps from established brands can carry significant privacy and security risks. A single incident can damage the revenue and brand reputation of a business, highlighting the importance of quick-service restaurants taking full precautions to ensure the security and privacy of their mobile apps.

Benchmark Data Highlights Mobile App Risks

NowSecure recently evaluated more than 450 Android and iOS retail mobile apps (which includes quick-service restaurants) using the NowSecure Platform automated mobile application security testing engine. The engine runs more than 600 automated tests based on proven industry standards to find security and privacy issues that impact mobile users and mobile businesses. 

According to the data, 100 percent of the sampled retail mobile apps had security risks and 64 percent had privacy risks. Some of the most common security risks uncovered include insecure network communication, insecure data storage and the ability for attackers to take over the mobile app. Privacy risks included app configurations that expose personal data and insufficient protection of sensitive data and personal data leakage over the network.

The Blueprint for Secure Quick-Service Restaurant Mobile Apps

We can expect the food service industry to expand its digital presence—35 percent of customers say they would be encouraged to spend more on food in restaurants with mobile apps. With that said, restaurants that develop mobile apps should consider the following best practices to minimize security and privacy risks. 

• Conduct Regular Penetration Testing–Pen testing allows expert security analysts to produce a comprehensive report outlining the security and privacy issues found in the app, including their severity level, likelihood of exploitation, and impact on the business. Restaurants with mobile apps should run tests for each new release or major update to safeguard against potential breaches and shield sensitive customer data. 
• Automated Security Testing for Continuous Protection—Pen testing can be highly beneficial for confirming the security of a mobile app, but it can also take up to two weeks to complete. Quick-serves with mobile apps should adopt a proactive approach to security by using continuous automated security testing as the mobile apps are built and updated. Mobile app development teams can remediate issues as they arise, ultimately speeding up releases with quality and security built in.
• Automatically Monitor for Regulatory Compliance—Brands with mobile apps must be diligent about complying with regulatory requirements such as PCI, California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR). Using an automated policy engine helps QSRs ensure their mobile apps maintain compliance with industry-appropriate standards to avoid potential regulatory penalties.
• Encourage Mobile-Specific Dev Training: Quick-serves rely on talented developers to create their mobile apps. But with the mobile threat landscape constantly evolving, development teams should regularly sharpen their secure coding skills to avoid common, mobile-specific mistakes. Encourage developers to enroll in free mobile app training courses to ensure they build mobile apps with security and privacy in mind.

 

The Chick-fil-A data breach acts as yet another reminder of the evolving mobile threat landscape, putting customer data, brand and revenue at risk. By leveraging security automation, standards, training and testing, restaurants can ensure they are taking the right precautions to safeguard their mobile apps from security and privacy risks, in order to maintain customer confidence and business success. 

As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to-market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.