Cyber criminals have found a rather easy and profitable target within the restaurant food chain vertical. With point-of-sale systems distributed across hundreds, if not thousands, of locations—these attackers find it all tot easy to penetrate and maintain a presence, harvesting customer PII and credit card data. While I expected to be surprised, I have to admit at first I was a bit overwhelmed. In doing research I found the list of attacks to be excessively large and that includes many recognizable institutions, including Huddle House, Checkers & Rally’s, Buca di Beppo, Planet Hollywood, Caribou Coffee, Dunkin’, Panera Bread, PF Chang’s, Applebee’s, Sonic Drive-In, Chipotle, Pizza Hut and Wendy’s, among many others.
Common themes
In examining most of these cases, attacks shared frightening similarities. They all had unpatched point-of-sale systems with attached card readers and were running legacy—if not end of life—Microsoft operating systems. These systems were on networks with other devices and servers and were not maintained as isolated protected segments. The companies themselves in most cases, had zero to poor capability to detect any aberrant cyber activity. All of them—except for Caribou Coffee—never detected the intrusions themselves until the credit card companies or law enforcement contacted them with notification they had been breached.
The most frightening commonality was the average dwell time, the amount of time the cyber criminals maintained their presence within these compromised restaurant chains. In FireEye’s Mandiant M-Trends 2019 report, the average dwell time faced by enterprises has consistently dropped in recent years and, as of last year averaged 78 days. In attacks on restaurant chains, those numbers are more like a year and a half. Huddle House, for example, a regional restaurant with 400 restaurants across 24 states, had an attack that lasted a year and a half.
In some cases, the dwell time was even worse. Checker’s and Rally’s, one of the biggest drive-thru chains in the U.S., had an attack that was cleaned up in 2019 but went back to 2016. But my findings weren’t all doom and gloom. I found a glowing exception in Caribou Coffee. Using their own detection systems Caribou Coffee were able to detect “unusual activity” within their networks on November 28, 2018 involving 265 stores. They had an incident response plan in place, and enacted and hired FireEye’s Mandiant to investigate. Just a few days later on December 3, 2018 they notified their customers and stopped a breach that had started on August 28, 2018.
For the larger restaurant chains, a few interesting data center/application breaches
While point-of-sale breaches have been the overarching issue in almost all of these cases—there are a few that resemble a more typical enterprise attack. Dunkin’ suffered a credential stuffing attack. Apparently, attackers were able to break into the application behind Dunkin’s DD Perks program for regular customers.
The information stolen included the user’s first and last names, emails (usernames) and a 16-digit DD Perks account number and QR code. In this case, the attackers weren’t interested in direct credit card fraud but rather, knowing that users tend to reuse usernames and passwords, the attackers were using the lists of username and password combinations to sell for profit on the Dark Web forums.
Another example of a non point of sale attack was Panera Bread. Panera has an affinity customer program allowing customers to login and order their food in advance online so the food will be ready and waiting at the restaurant for pickup. In August 2017, cyber researcher Dylan Houlihan uncovered that the Panerabread.com website had an “unauthenticated API endpoint that allowed anyone to access the following information about all customers who have ever signed up for an account from Panera Bread: username, first and last name, email address, phone number, birthday, last four digits of saved credit card number, saved home address, social account integration information, saved user food preferences and dietary restrictions.”
He tried repeatedly to convince Panera of the issue for more than eight months and found them unreceptive, per reports. He subsequently went to cyber expert and blogger Brian Krebs who made the issues public. All in all, more than 37 million Panera Bread customers’ information was exposed.
What is the remedy? Micro-Segmentation
While it may seem insurmountable at first, the solution to most of these restaurant chain point of sale systems, and for a few of them, backend data center applications, can be accomplished in an easy fashion. Using a software defined segmentation solution – also known as micro-segmentation—you can do several things. Firstly, one can implement the solution centrally without having to physically visit each location and establish clear cut visibility across the entire distributed enterprise.
By doing so, one can clearly map out application workflow traffic—especially to mission critical point of sale and customer affinity systems. Upon understanding the application dependencies within and around these systems it becomes easy—and without having to implement or change VLANs, IP address or firewalls—to ring fence these critical systems down to the process layer with white list and black list policies that will protect them from harm. What many customers are surprised to find is the speed at which this can be implemented. Instead of the almost untenable traditional methods, we find most customers with this use case able to deploy in a matter of a few weeks. Any changes are instant and often automated.
Furthermore, using these segmentation policies security teams will quickly be alerted to attempted attacks. In cases where policy changes need to occur due to a newly discovered vulnerability or finding an attacker who has gotten around the existing policy, policies can be pushed out instantly to all locations. Also with PCI-DSS regulations being top of mind, incorporating a micro-segmentation solution can help restaurant chains easily become PCI-DSS compliant and, with appropriate historical visibility capabilities, they can also continuously validate PCI-DSS compliance.
On an important note—while my experience has been that implementing a micro-segmentation solution reduces workload on overtaxed IT staff and that most of the time I find restaurant chains implementing themselves—I have several who have chosen to leverage certified managed security service providers (MSSPs) to manage this for them. Finally, I encourage customers to consider micro-segmentation solutions with additional breach detection and response capabilities. While specific features vary by vendor, additional detection and response capabilities enable security teams to easily detect and stop malicious processes and dangerous lateral movement within the restaurant chain environment. Overall, it has been my experience that implementing micro-segmentation solutions reduce stress and strain on an overtaxed IT workforce and helps customers achieve visibility, easily implement micro-segmentation thereby reducing risk, and allowing restaurant businesses to validate compliance.
Dave Klein is Senior Director Engineering & Architecture at Guardicore. He has over 20 years of experience working with large organizations in the design and implementation of security solutions across very large scale data center and cloud environments. At Guardicore, David leads the engineering team in North America, assisting Guardicore customers in architecture and implementation of advanced data center security solutions for the rapid detection, containment and remediation of security breaches.