Why US restaurant chains are key victims of cyber crime

restaurant kitchen

In the past few weeks, well-known US restaurant chains have been hit by highly publicized data breaches:

  • Noodles & CompanyUnusual activity on its computer systems was detected this past May , which indicated the potential compromise of diners’ debit and credit card data in locations across 27 states.
  • Wendy’s – The hamburger chain announced last week that hackers stole customers’ credit and debit card information at 1,025 of its US restaurants, obtaining card numbers, names, expiration dates, and card codes in late fall 2015.

Weak POS systems

The 2016 Trustwave Global Security Report found food and beverage sectors to be one of the top four industries most frequently targeted by cyber criminals.

And while any organization that deals with large amounts of sensitive data is vulnerable to repeated attacks by cyber criminals, restaurants are uniquely vulnerable because of their high reliance on point-of-sale (POS) terminals.

Restaurants have become easy targets for cyber thieves because it is easy for criminals to rack up large amounts of data, which can be extraordinarily difficult to spot.

Cyber insurance: read the small print

While it’s important for organizations using POS systems to regularly conduct penetration tests to spot any potential vulnerabilities, many are choosing cyber insurance cover as a backup. But it’s important to really read the fine print of your policy. Chang’s China Bistro learned the hard way…

Chang’s restaurant bought a cyber risk insurance policy from Federal Insurance Company to cover itself from January 1, 2014 to January 1, 2015. The Policy was sold as a “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology dependent world”.

But in June 2014, hackers obtained 60,000 credit card numbers belonging to Chang’s customers and posted them online. Although the insurance policy paid out $1.7 million for losses associated with the data breach, it disclaimed coverage for approximately $2 million in fees and assessments imposed by MasterCard. Chang took its insurers to court, but its argument was rejected.

There are around 70 different insurers selling cyber insurance in the US, and nearly all of those policies are issued on a surplus lines basis. The wording used in each policy obviously varies, and the differences from one policy to the next can be significant.

Take payments electronically? You must comply with the PCI DSS

Any organization that stores, transmits, or processes cardholder data must comply with the PCI DSS, or risk paying ‘non-compliance’ or ‘data compromise’ fines. Merchants and member service providers (MSPs) are required to:

  • Build and maintain a secure IT network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

To help you achieve and maintain compliance with the PCI DSS, we have a number of resources:

  • Information: Read guidance from practicing experts on the PCI DSS; perfect for those new to the subject or looking for more information on implementing it in their organization. Find out more >>
  • Pre-written, PCI-compliant documentation: Up-to-date with the PCI DSS v3.2, the PCI DSS Documentation Toolkit contains easy-to-use, fully customizable templates to help you produce compliant documentation. Find out more >>
  • Penetration Testing: Identify, fix, and prevent vulnerabilities within your systems with CREST-accredited testing services from IT Governance. Find out more >>


No Responses