Is your restaurant data-breach proof?
By Michael Reitblat, CEO & co-founder, Forter
Last year was the year of data breaches. From Equifax and Verizon to Yahoo and Uber, 2017 highlighted that even the biggest companies in the world run the risk of exposing private data of millions of consumers.
The latest fraudster target? Restaurants and grocers. P.F.Chang's, Chili's, Arby's, PDQ, Panera and Whole Foods are just some of the big-name brands that have recently been breached. Restaurants have become common targets via their point-of-sale systems as well as through online and mobile delivery services, with fraudsters aiming to harvest customer credit card information.
Clearly, the threat is serious. Beyond POS systems, fraudsters often go directly to the source by attacking the restaurant's network or computer system, which stores files containing sensitive financial details. POS network attacks can affect multiple chain locations simultaneously and expose immense quantities of data in one fell swoop, allowing attackers to remotely steal data from each credit card as it is swiped at the cash register.
Vulnerabilities also plague mobile apps associated with restaurants and dining establishments. While data breaches via mobile apps are less talked about, the risks are just as real. Common factors contributing to these types of breaches include lost or stolen mobile devices, mobile app software vulnerabilities (often resulting from lax security testing), malware infections or even exposure via rogue WiFi hotspots.
After fraudsters harvest this information from various sources, they generally turn to the dark web to sell the breached data, exposing cardholders to potential identity theft, account takeovers (ATOs) and other types of fraud.
Private details, aggregated and sold in underground online marketplaces, can expose individuals to all kinds of risks. In many cases when these breaches occur, victims don't even know that their credit card information has been stolen. Personal details including credit card numbers, PINs, full names and addresses and birth dates are prime targets for thieves Birth dates, in particular, are often stolen in restaurant and food industry data breaches because many businesses offer loyal customers rewards/coupons in honor of their birthday and therefore store individuals' DOB in their system. To protect themselves from fraud and catch foul play before it gets out of hand, consumers need to monitor their accounts, change passwords and review their credit reports regularly.
Beyond the point of transaction
Despite the ongoing risk posed by identity theft, Fraudsters have taken note that it isn't always the most lucrative means by which to exploit a customer. Gaining access to a user's online account -- also known as account takeover — can result in a far bigger payout.
The flood of personal data available via online web forums thanks to the recent uptick in data breaches has armed fraudsters with all the details they need to exploit good customers. According to Forter data, there was a 31 percent increase in attempted ATOs year-over-year as of Q3 2017, with a significant spike of 53 percent in Q3 2017, compared to the previous quarter.
Breaches and the resulting exposed data mean that restaurants and online retailers need protection beyond just the point of sale, particularly since so many restaurants offer loyalty accounts and rewards that can be usurped by online criminals. Hacked accounts indicate that fraudsters could be going through victim account details and further abusing the customer journey by depleting accounts of accrued reward and loyalty points. Clever fraudsters can manipulate accounts without raising suspicion from either the retailer or the customer.
Erosion of trust
Restaurants and food delivery services are the newest industries to be targeted by online payment fraud. Forter's 2018 Fraud Attack Index reports that overall fraud rates have risen by 13 percent since last year. This growth means that fraudsters have a healthy appetite and that their methods of attack only continue to grow more sophisticated, circumventing conventional fraud prevention techniques.
Data breaches have huge repercussions. They put a dent in the potential net revenue of a business, but they also simultaneously — and perhaps more detrimentally — result in loss of long-standing customer trust in the brand or business. In fact, 19 percent of customers said they would stop shopping at a breached retailer, and 33 percent said they would take a long-term break.
Restoring the faith
To help prevent fraud attacks, restaurants need to ensure they comply with the standards governing the handling of payment card information, be able to manage the risks associated with third-party vendors and put an effective incident response plan into place.
In addition, new technologies like automation, AI, and machine learning ensure private data is better protected from online fraudsters. Streamlining data handling will minimize risks to customer data, add zero friction to the customer journey, and cover every fraud pain point along the way to check out.
Restaurants that have been breached should work to restore the customer faith lost with exposed data. They should also look to artificial intelligence and machine learning models to guard against future hacks and rebuild consumer loyalty.
With fraudsters increasingly targeting the food industry in new and creative ways, restaurants must take every precaution to protect themselves and their customers from falling victim to this alarming new normal. They must also have a crisis plan in place to minimize the damage and restore customer trust in the event that a breach does occur. Afterall, a small data misstep could mean the difference between a thriving restaurant and a hijacked brand.
Topics: Loss Prevention