If you’re a restaurant operator and you haven’t heard of the blog Krebs On Security, definitely check it out. Former Washington Post journalist and self-taught computer security expert Brian Krebs is often the first to break major news about restaurant security breaches.
For instance, in February, Krebs got Arby’s to acknowledge a data breach at its fast-food restaurants. Frankly, the cause is enough to lose your lunch: malware on payment systems once again!In a 2015 interview with Eater, Krebs warned that any restaurant company that uses point-of-sale (POS) systems is vulnerable to attack. POS systems are often set up to be accessed remotely, making them vulnerable to hackers.
As identified by Krebs, other security vulnerabilities with POS systems include enabling the same password for each system and running on outdated operating systems that don’t offer security updates and are simpler to hack. It’s no coincidence that chain restaurants are being hacked with greater frequency; often, several restaurants are linked to one internal system.Now you might be asking (because I definitely did): how a guy like Krebs breaks a story. As it turns out, hacked credit cards are often sold on the black market, usually web forums, and when there’s a major breach, there’s an influx. Krebs then reaches out to banks to see if they’re seeing or hearing anything suspicious. If there’s a pattern, Krebs then reaches out to the suspected chain to confirm whether or not they had a breach. Voila! That’s what led him to Arby’s in February. The company confirmed that it had recently remediated a breach, but had not publicly revealed the incident at the request of the FBI.
Arby’s confirmed that malware was placed on payment systems inside corporate stores, but franchised locations were not affected. In other words, the Arby’s breach was evidence of the vulnerabilities Krebs warned about two years ago!
Learning the Lesson
Here at Zenput, we try to provide our customers with the mobile tools to communicate better about their POS audits as well as possible breaches. We’ve discussed measures to prevent ATM skimming, and we offer a mobile form for audits of payment terminals in stores or at the pump. See below screenshot for an example:
But in the case of Arby’s, they were a victim of a malware attack through their central system. Of course, we’re not privy to the inner workings of Arby’s security system, but you have to hope that they regularly ran updates and that software was updated. Keeping systems updated and making sure employees understand the POS terminal and its functionalities are critical tasks for any restaurant operator. When you create a procedure to protect against physical POS breaches, you can also create a checklist for POS employee training. Security is a team effort and one that’s executed from the top down, so make sure your team is in compliance with best practices. Also make sure they know the right steps to take if a breach is detected. That kind of preparedness can go a long way when recovering from an attack. Arby’s now faces class-action litigation with strong accusations: “The Arby’s Data Breach was the inevitable result of Arby’s inadequate data security measures,” says a credit union suing on behalf of its customers. Arby’s denies those allegations and plans to offer a vigorous defense.
But one company’s struggles are a reminder that any multi-unit restaurant operator is at risk, and it begs—or rather, demands—the question: are you up to date on your security measures?
To learn how Zenput is helping convenience store operators audit their POS systems, click here.