As hackers find new ways to gather coveted personal information, restaurants are quickly becoming a target for the internet underworld.
Several customer accounts were breached on Dunkin's DD Perks mobile rewards program in November, but Dunkin' certainly wasn't the only chain to get hit this year. Panera, Burgerville, PDQ, Cheddar's and Chili's also reported security breaches. And last year, millions of customer payment cards were breached through a point of sale system at Sonic.
Whether it be through an online rewards system or POS platform, breaches at restaurants can scare customers away and reduce profit margins. While health care is among the top targets for hackers, retail (including restaurants and grocery stores) is among the most vulnerable.
TGI Fridays Vice President of Information Technology Sammy Langley told Restaurant Dive that restaurants need to have an equal focus on cybersecurity as they do product, place, price and promotion to avoid these pitfalls.
"If a restaurant owner is successful at the 'Four P's' but fails at cybersecurity, leading to a data breach in which customer data is accessed and/or stolen, they will ultimately lose in the end, and the business repercussions could be felt for a very long time," he said.
Breaches can carry a hefty price tag for restaurants. For every piece of data breached, it can cost an average of nearly $150, which adds up quickly. A breach of 1 million records can cost a company $40 million.
Restaurants could end up paying for fees and penalties, forensic audits to find out what happened (ranging anywhere from $10,000 to $100,000 per investigation), remediation costs, breach notification (which come with often complex requirements to notify customers depending on state law), lawsuits and brand damage, according to the National Restaurant Association.
Sonic, for example, settled a class action lawsuit in October for $4.3 million, which alleged the burger chain's security system failed to protect customer data.
Why restaurants are at risk
Restaurants not only process credit card information, but also have access to business-specific data inventory and human resources data, Langley said.
While card swipes were the go-to method of stealing information in the past, chip cards have made it more difficult to gather information this way. Jeff Nathan, principal researcher at security intelligence company Exabeam, told Restaurant Dive that as a result, cyber attackers have shifted how they gather bulk information.
"Once these loyalty programs moved online and started aggregating all this customer data in one place, they became pretty interesting targets," Nathan said.
But security is not exactly at the top of the list of priorities for many restaurant owners. Franchisees are more focused on running a restaurant than being up to date on the latest security, Nathan said.
What makes restaurants unique is that franchisees are entirely dependent on the security provided by the franchise brand in a way that other franchises are not, Nathan said.
The common misperception franchisees have is that compliance is the same as security. For example, franchisees often focus on what they need to have in place to keep processing credit cards, such as paying a franchise fee or having the bare minimum technology or protocols in place to meet its franchise contract, which is not the same thing as security, Nathan said.
"The real issue with a lot of organizations has been they do not operate with a culture of privacy and security," Adam Levin, founder of CyberScout, a provider of identify protection services, told Restaurant Dive. "Cybersecurity protections are a cost center as opposed to a revenue center."
"Once these loyalty programs moved online and started aggregating all this customer data in one place, they became pretty interesting targets."
Principal researcher, Exabeam
Promoting a culture of privacy and security, such as having anti-phishing drills, monitoring systems and devices that connect into the restaurant's network daily and make sure the person accessing the system is the right person, are ways that businesses can better protect company and customer data, Levin said.
Even though there are more security protocols in place for POS systems, these platforms are still among the most common touch points for hackers to access valuable customer data.
"Restaurants aren't famous for their point-of-sale system security," Levin said.
Many restaurant employees have access to their brand's POS systems. There is typically someone at the cash register who needs to be trained and make sure that they can handle and recognize anything that seems suspicious, Levin said.
How can restaurants protect customer data
TGI Fridays is one restaurant brand with a strong culture of security. It has robust protocols in place and works closely with franchisees to maintain security.
The casual dining chain has a multilayered cybersecurity approach in place that uses multiple administrative, technical and physical controls across its various data platforms, TGI Fridays' Langley said.
For example, its Zero Trust Security model is a technical control that ensures data is secure both outside and within the company. It uses the motto "never trust, always verify," and the company uses it daily, he said. This model can be applied to its POS system, e-commerce platform and security of guest and employee information.
While franchisees are responsible for the controls of their restaurants, such as access to the point of interaction devices, back-office network and computing environments, corporate sends monthly operational reminders to all restaurants on how to prevent and identify scams, Langley said.
Point of interaction device inspection is part of a daily checklist TGI Fridays managers perform in each restaurant, he said.
Knowing how to identify scams is becoming increasingly important, especially as restaurants move toward more secure ways to protect cardholder data. Langley said the top threat to the industry is non-malicious insiders, such as negligent employees, who are susceptible to phishing attempts and other cyberattacks.
"While technology has helped normalize paying for things digitally, we're also seeing that it's far easier for a scammer to make a phone call or send an email to a restaurant and convince someone to transfer funds," Langley said. "Scammers are already highly sophisticated, and they will only get better."
TGI Fridays has taught restaurants to read signs and report any threats immediately, he said.
"Scammers are already highly sophisticated, and they will only get better."
Vice president of information technology, TGI Fridays
Setu Kulkarni, cybersecurity company WhiteHat Security's vice president of strategy and business development, told Restaurant Dive that one of the best practices to protect customer information is to not take orders over the phone. Online ordering is more secure since an employee repeating credit card numbers and other information out loud could be overheard by another person.
Even if a restaurant's systems are secure, they can still be vulnerable if a vendor doesn't follow security procedures, such as how an HVAC operator gave hackers access to Target’s POS systems, Levin said.
How to respond
Four years ago, breaches at restaurants were few and far between, Kulkarni said. Unfortunately, they have become more common and can be problematic if the restaurant does not know how to react.
Responding to a breach will be critical to whether or not people are willing to return, and in the days of already tight margins, losing long-time customers could spell disaster.
"The day my trust is breached — the restaurant app gets hacked — I'll probably stop going to that restaurant," Kulkani said. "For the restaurant there is a huge amount of customer satisfaction at risk as well."
Luckily, these events are no longer the catastrophes that they were in the past, Kulkarni said. "Businesses can … recover from these breaches if they respond well."
Kulkarni said the best way to respond to a breach is to acknowledge that the breach happened despite the company's best efforts and provide information on what specifically went wrong, what kind of data was breached and how end users can protect themselves.
"The day my trust is breached — the restaurant app gets hacked — I’ll probably stop going to that restaurant. For the restaurant there is a huge amount of customer satisfaction at risk as well."
Vice president of strategy and business development, WhiteHat Security
Cyber criminals can still make a lot of money by stealing customer information, especially if it is easily accessible via malware or successful phishing attack, and many will target the low-hanging fruit, cyber experts said.
"This all comes down to how do criminals make money and how do these franchisees protect their individual business," Nathan said.
Even with the tightest security protocols in place, restaurants can expect hackers to take aim at their point of sales systems and online programs.
"Breaches are a third certainty in life," Levin said.