Restaurants Beware: Hackers Are Hungry!

Restaurants now account for 73% of all data breaches in the U.S. Why? Low effort, high yield.|

May 8, 2014

Restaurants, pubs and diners all over the country serve hungry and thirsty people every day. From white tablecloth establishments to the local taco joint, almost all restaurants take credit/debit cards for the vast majority of their payments. One swipe, and customers go on their way. However, behind the scenes, restaurants nationwide are suffering at the hands of cyber thieves who target restaurants in an effort to steal their treasure trove of daily credit card information. A recent Visa report indicates that restaurants now account for close to 73% of the data breaches in the U.S. Why restaurants? Low effort, high yield. The smaller the better! Cyber thieves know that the smaller the establishment, the more likely it is to have weak security in place. With a single hack, a thief can reap a whole day’s worth of stored credit card data, while a continual harvest can produce months and even years of data. How is this possible? Thieves break through weak firewalls, take advantage of the all-too-common use of default passwords, hack into one web device (such as security cameras, payment processors, computers, DVR, WiFi) and then access all the other systems that are not segmented (all Web-based systems can talk to each other if not segmented). Once in, thieves can steal current data or install malicious software (“malware”) on the establishment’s system. This malware allows thieves to routinely access the credit card information that is collected each day. Failure by the establishment to detect and remedy this intrusion can lead to legal liability from customers alleging failure to adequately protect their credit card information. Companies that have been breached often do not learn of the breach until they are notified by customers who have had their credit cards compromised or, even worse, when Visa/Master Card detects a pattern of compromised cards from one point of sale and contacts the establishment for reimbursement. Following a breach of customer credit card information, establishments will be required to notify affected customers of the breach. Notification is complicated and costly and must be done in a timely manner. Often, the effects of a breach include significant IT costs to remedy the breach, determine what information was compromised and repair the system. Lawsuits by customers and a significant drop in business revenue is also common, so there’s significant exposure to both first- and third-party loss. Why are these types of breaches on the rise? Because hackers and thieves can earn quick cash. The going rate on the black market for credit card information is about $20 a card, and a single small restaurant can yield many dozens in a single day. Not bad for a day’s work! (Or not having to do a day’s work....) Restaurant owners should take heed and take the security of their clients’ information very seriously. Establishments that process credit card information should review their security systems, update virus software routinely, train employees on security and best practices and consider a risk management plan that would include cyber insurance. As restaurants are a growing target for cyber crime, if you have restaurant clients (or other clients that take credit card data) you should consult with them about their risks and liabilities. Based on their risk tolerance, consider whether the risk of being a victim of cyber theft is a risk they want to self-insure, or whether they would prefer to outsource this exposure via a cyber/network security policy. In today’s high-tech world, a well-thought-out risk management plan is invaluable and should work in conjunction with cyber/network security insurance, as no computer system -- regardless of size or sophistication -- is hack-proof. A well-tailored cyber policy can provide a restaurant that experiences a breach with a forensic expert who will examine the systems to find out how and when the breach occurred, determine what information was compromised and assist in notifying the affected individuals. Depending on size and revenues, cyber policies can be as cheap as $1,000 and provide $1 million in coverage. Hackers are just like the rest of us: They like to eat! Take precautions so your restaurant clients are not the ones that feed them. In the event that hackers get hungry at one of your client’s establishments, strong security controls and vigilance, combined with a well-drafted cyber policy, can prevent what otherwise could be a devastating blow to a small eatery, franchise restaurant or family diner.

Laura Zaroski

Laura Zaroski is the vice president of management and employment practices liability at Socius Insurance Services. As an attorney with expertise in employment practices liability insurance, in addition to her role as a producer, Zaroski acts as a resource with respect to Socius' employment practices liability book of business.