The restaurant and hospitality industries have been hit particularly hard by data breaches, with hotel brands, restaurants and establishments targeted by hackers in 2019. While the average cost of a data breach in 2019 was $1.99 million, for larger companies and chains, those costs can skyrocket to over $50 million – not to mention the irreparable damage to the brand.
According to Verizon’s 2019 Breach Investigation Report, point of sale (POS) intrusions, web applications and crimeware patterns represent 93% of all data breaches within accommodation and restaurants.
What Do Data Breaches Mean for Restaurants?
Interestingly enough, POS intrusions were over 40 times more common at accommodation and food-service businesses than they were in the average industry that Verizon investigated. While hackers have targeted hotel reservation systems, more often it is the restaurants and small stores on their properties that get hit.
So what are the repercussions if a restaurant or fast casual franchise gets hacked? Do long-term customers stop dining at their favorite restaurants? Do they lose trust in their favorite brands? Even when a customer is not personally affected by a data breach, they are still wary of continuing to shop or dine with that establishment, reports Gemalto. According to their study, 64% of consumers are unlikely to do business with a company that has suffered a data breach.
Data breaches can also make consumers cautious of joining loyalty programs. According to the New York Times, it is estimated that $1B is lost due to crimes related to loyalty programs. Criminals will sometimes use stolen credentials to impersonate customers, while others will sell the points online. Cloud security company Armor found that one hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88. And patrons using the McDonald’s mobile loyalty app in Canada were “Hamburglared” when the app was hacked. Thousands of dollars were spent on hamburgers and happy meals. Many customers were not happy with McDonald’s response.
Restaurants like McDonald’s and coffee shops like Starbucks have made it very easy for customers to join loyalty programs and even order online – which can be hugely convenient. But these breaches leave consumers wondering if convenience and loyalty perks are good enough trade-offs for their privacy?
How Cyber Criminals Get Your Information
Unfortunately, despite the many big-name restaurant hacks over the last several years, not all restaurants and fast casual chains have shored up their security systems.
Employees
QSR magazine believes that the increase in data breaches in a restaurant can, in many cases, be traced back to employees. Not all employees are properly trained on spotting potential hacking and fraud, whether it is a counterfeit credit card or opening an email with a suspicious attachment. And one of the issues with restaurant as a whole is the high turnover in employees, which can make it difficult to properly train. Thus, the onus falls on the restaurants or chains/franchises to continuously audit which employees have access to customer information and, at the minimum, instruct employees to use strong passwords and beware of phishing attempts.
Malware
Malware is one of the biggest culprits when it comes to hospitality and restaurant data breaches. Once malware has found its way into a POS system, criminals can siphon clear-text credit card numbers and customer’s names if they are not encrypted. Experts suggest keeping POS systems separate from corporate networks, menu boards, and security cameras.
Software Patches and Updates
Finally, restaurants need to stay up to date with the latest software and patches. If they don’t, it can provide and “in” for malware. As Gary Davis of McAfee says:
“In fact, many of the more harmful malware attacks we see take advantage of software vulnerabilities in common applications, like operating systems and browsers. These are big programs that require regular updates to keep safe and stable. So instead of procrastinating about software updates, see those updates as one of the most essential steps you can take when it comes to protecting your information.”
A Holistic Approach to Restaurant Payment and Data Security is Required
Bluefin specializes in payment security technologies to devalue data, so that if a restaurant system is breached – hackers find nothing of value. Our solutions, including PCI-validated point-to-point encryption (P2PE) and ShieldConex® data security platform, are available directly through Bluefin or through our network of over 100 partner processors, payment gateways and ISV’s.