This week, Bluefin partner, Two Men and a Truck (TMT), the largest and fastest growing moving franchise with over 340 locations throughout the U.S., Canada, Ireland and the U.K., held their 2017 Annual Meeting at the Broadmoor Hotel in Colorado Springs, CO.
The event provided educational sessions, roundtables and more for TMT franchise owners. Bluefin was on-hand to discuss our PCI-validated Point-to-Point Encryption (P2PE) call center and in-office solutions for TMT franchisees. Bluefin’s P2PE solutions encrypt cardholder data at the Point of Interaction (POI), preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.
Franchises – A Hacker Favorite
It’s safe to say that cyberattacks and data breaches will continue to plague organizations in 2017. A recent study of companies across 79 countries surveyed 726 organizations in sectors including financial, insurance, retail and defense. The results revealed that the number one issue for executives is the threat from hackers, with 88% of companies included in the survey saying they are “extremely concerned” or “concerned” about the risk.
And some industries are more heavily attacked by hackers than others. Franchises, in particular, have fallen victim to more than their fair share of hacks and remain a large and lucrative target for hackers.
Dairy Queen, UPS, Goodwill, Wendy’s and Supervalu all have one thing in common – they are franchised companies that have reported data breaches. The pattern in all of these cases was similar – hackers infiltrated the merchant’s point of sale (POS) system via malicious software (malware). After taking months to detect the breach, these companies discovered that their network – and their customer’s sensitive card payment data – were compromised, millions of dollars were lost, and their reputation was irreparably damaged.
Some may argue that if only the franchisee was hacked, the franchisor remained safe, or vice versa. However, regardless of who is breached, it ultimately affects both. Whether a retail franchise has all of their locations on the same network, or, in UPS’ case, each store was individually owned and ran their own private network, a breach is a breach in the eyes of a consumer. Try explaining to a customer of a breached franchise that their card data is safe in certain locations, while others it is not. And, on the franchise side of the coin, even if a particular location wasn’t affected in a breach, their company is now questionable in the minds of consumers.
The Corporate Name is Still the Same
While they (locations) may be independently owned, it’s the big corporate name that gets dragged through the mud when a small franchisee gets hit by hackers that take advantage of the lack of security or a known vulnerability in the POS system of an individual chain store.
Like all companies, franchises want to minimize their cybersecurity risk, but it is often after a breach has occurred and serious damage has already been done that they take action. Noodles and Company, after discovering a data breach that stretched over 5 months in 2016, recently announced that they would be closing 55 of their under-performing restaurants to improve their bottom line.
The costs surrounding the breach and the changes made to revive their business have not come cheap. Noodles expects to pay upwards of $29 million to terminate leases, cover real estate broker fees and pay severance to employees. Additionally, the company recorded an $11 million charge linked to the breach in the fourth quarter of 2016 and another $5 million in additional potential costs.
Noodles’ chief operating officer and interim CEO claims that “many of these under-performing restaurants opened recently in new markets.” However, Noodle’s reputation took a hit after their data breach, and with SELCO Community Credit Union suing the company for the breach, costs could continue to rise. The company expects to open a dozen locations in 2017, however, as “lower-risk markets,” shifting the company-owned stores to franchise owners, who currently run 15% of locations. In theory, one would say shifting ownership – and secure card payment responsibility – reduces risk for the corporation, but it does not necessarily make the corporation, or company name, more secure.
Like most companies, franchisors have significant quantities of sensitive data that often includes information on customers, employees, and about their franchisees. Franchisors face an additional obstacle: their franchisees often collect large quantities of sensitive data about their customers and their employees. When franchisees experience data security problems, those problems often have a ripple effect that creates severe reputational (and often legal) costs to the entire franchise system.
Why are Franchises a Lucrative Target?
It isn’t just one type of franchise that gets hit by a breach. Hackers target lodging, restaurant, grocery stores, gas stations and travel franchises to steal customer card information. As the rise in breaches in franchises continues, so does the question – Why franchises?
Many franchises have multiple locations with large amounts of card-paying customers racking up multiple transactions – all factors that could make it harder for the customer to notice fraudulent charges on their statements. Add to that the troves of customer information stored within the franchises network and it creates an attractive target for data thieves. Additionally, organizations are discovering they have been breached months after it actually occurred, giving hackers more time to steal cardholder data while organizations stumble to clean up the mess.
In the case of the Wendy’s breach, fraud was initially discovered in January 2016, but Wendy’s officials said it was too soon to say whether the incident was contained, how long it may have persisted, or how many stores were affected.
After a forensic investigation was conducted, Wendy’s reported in May 2016 that 300 of its 5,800 locations were affected by the breach. But by July 2016, the number of impacted stores reached 1,025.
Wendy’s placed the blame for the breach on an unnamed third-party that serves franchised Wendy’s locations, saying that a “service provider” that had remote access to the compromised cash registers that got hacked. Hackers know that franchises often outsource the management and upkeep of their POS systems to third-party providers, many of whom use remote administration tools to access and manage the systems over the Internet. Unsurprisingly, attackers have focused on hacking the third-party providers and have had much success with this tactic. The damages of the Wendy’s breach reportedly surpassed the Home Depot and Target breaches, which were $263 million and $291 million respectively.
Better Safe than Sorry
All too often the conversation focuses on the after-effects of a breach. Yes, data breach insurance and a breach protocol plan are important strategies for organizations to put in place, but “defending the fort” tactics don’t stop the breach from happening in the first place.
So how do you keep your franchisees and franchisors safe from data breaches?
Experts suggests franchise organizational centralization and standardization through each franchisee’s practices and POS systems to ensure they’re operating securely, while card companies like Visa recommend enforcing PCI DSS for franchises.
Other recommendations include using secure payment applications, like encryption, that devalue the card data. A recent franchising.com article explains industry-best security strategies, emphasizing the importance of encryption.
The best way for an organization to protect itself from a data breach is to guarantee that a data-protection strategy is in place to ensure that all sensitive data is encrypted, proper controls are in place to permit access to that data, and that the policy is consistently tested and audited for effectiveness in preventing data loss from both external and internal threats. Centralized management of enterprise-wide access, threat-detection systems, external and internal security auditing systems, and the ability to securely share sensitive information and credentials are all key components of an effective data-protection strategy for any enterprise.
Progressive franchise organizations like Two Men and a Truck understand the importance of encryption, and are using Bluefin’ PCI-validated Point-to-Point Encryption (P2PE) to protect their corporate brand, their franchises, and ultimately, their customers from cyber fraud.