The restaurant industry has increasingly become a target for cyberattacks as digital payment systems, loyalty programs, and online ordering become more prevalent. In recent years, several high-profile breaches have raised concerns about the security of customer data.
If data is involved, threat actors want to get their hands on it and exploit it. Some notable cyber incidents in the past half-decade include:
- McDonald's (2021): The fast-food giant suffered a data breach that exposed customer and employee information in South Korea and Taiwan.
- Wendy's (2015-2016): The restaurant chain experienced a significant breach affecting over 1,000 locations, with customer payment card data compromised.
- Dunkin' Donuts (2015-2018): The company faced multiple credential stuffing attacks that led to unauthorized access to customer accounts.
- Domino's India (2021): A data breach reportedly exposed customer names, phone numbers, and payment details of millions of customers.
- Subway U.K. (2020): The sandwich chain's U.K. customers were targeted by a phishing campaign after a suspected data breach.
- Checkers and Rally's (2019): The fast-food chain reported a point-of-sale malware attack affecting more than 100 locations.
- Earl Enterprises (2018-2019): The parent company of restaurant chains like Planet Hollywood and Buca di Beppo suffered a 10-month-long data breach affecting millions of customers.
- Sonic Drive-In (2017): The fast-food chain experienced a breach that potentially impacted millions of credit and debit card accounts.
- Panera Bread (2021): The restaurant franchise faced a leak that exposed millions of customer records.
The restaurant industry often struggles with outdated or insufficient security protocols, making point-of-sale (POS) systems, online ordering platforms, and mobile apps key targets for attackers. Restaurants typically handle high volumes of payment card data, which, if not adequately protected, can be exploited.
In many instances, blame falls on a combination of poor security practices, lack of encryption, and failure to comply with data protection standards such as the Payment Card Industry Data Security Standard (PCI DSS). Restaurants often focus on business growth and customer experience, leaving cybersecurity as an afterthought.
"There are numerous points of entry in restaurant chains, such as POS systems for customers and staff, online mobile apps, and third-party services like Uber Eats and DoorDash. Each of these assets handles data transfer and storage in unique ways," said Reanna Schultz, Founder of CyberSpeak Labs LLC, an informational podcast for current and would-be cybersecurity professionals. "As an example, POS systems, while specialized, are still computers and should be equipped with a robust security stack that's actively monitored for signs of data tampering or security threats being introduce."
"In my view, implementing a segmented zero-trust architecture can help isolate external data from internal corporate data, mitigating the risk of cross-contamination," Schultz continued. "Restricting the use of high-risk ports like RDP or SMB for inbound and outbound communication can further reduce the potential for data exfiltration."
"Additionally, enforcing least privilege policies by restricting elevated and contractor accounts to only the data and systems they specifically need is essential. Not everyone in the organization should have access to sensitive customer information. Regular audits, the use of password managers, enforcement of password complexity policies, and multi-factor authentication (MFA) can significantly reduce the attack surface."
The following steps to enhance security could be listed for any blog post about any industry, but there are a couple specific to industries like food service:
- Encryption: Encrypting customer payment information is crucial for protecting sensitive data.
- POS Security: Regularly updating and securing POS systems can prevent malware infections and data skimming.
- Third-Party Risk Management: With the rise of food delivery apps and online services, it's vital to ensure third-party vendors comply with robust cybersecurity standards.
- Staff Training: Human error remains one of the biggest risks, so training employees to recognize phishing attempts and other common attack vectors is critical.
The restaurant industry is taking steps to improve security, with increased adoption of cloud-based solutions, multi-factor authentication, and stricter compliance with industry standards like PCI DSS. However, the evolving nature of cyber threats means that restaurants need to remain proactive, continuously monitoring for risks and updating defenses to protect both customer data and business operations.
"When reviewing restaurant data breaches, there are valuable lessons we, as IT and security professionals, can apply to our own environments," said Schultz. "These breaches underscore the need to constantly evaluate and mature our practices, based on the damage to both the brand and the data loss caused."
Danny Brickman, CEO and Co-Founder at Oasis Security, said PCI DSS 4.0 is rapidly approaching.
"PCI DSS 4.0 places significant emphasis on non-human identities—system and application accounts that perform automated tasks and often require elevated privileges. Key requirements include:
- Requirement 7: Restrict access based on business needs and least privilege.
- Requirement 7.2.5: Periodically manage and review access to ensure appropriateness and address any issues.
- Requirement 8.6: Strictly manage accounts, particularly those with interactive login capabilities, and avoid hard-coded passwords.
With the introduction of PCI DSS 4.0, managing non-human identities—such as system and application accounts—has become increasingly critical. As PCI DSS 4.0 shifts the focus toward comprehensive identity management, relying solely on human account security is no longer enough. To align with these new requirements, organizations should follow these three essential steps:
- Visibility: Gain a comprehensive understanding of your environment and identities beyond your Identity Provider (IdP). Incorporate multiple sources of information for deeper insights into identity usage.
- Security: Develop tailored security policies using advanced analytics to identify potential gaps. Implement continuous review and assessment processes to enhance your security posture.
- Governance: Streamline lifecycle management with efficient, policy-based automation. Move beyond slow, email-based remediation processes to orchestrate workflows seamlessly across your infrastructure.
Although some PCI DSS 4.0 requirements won't be mandatory until 2025, the need for restaurants, and other organizations, to start preparations now is crucial."
As restaurants become more digitally interconnected, investing in comprehensive cybersecurity measures is no longer optional but essential to sustaining customer trust and operational integrity.
"The restaurant industry has increasingly become a target for cyberattacks as digital payment systems, loyalty programs, and online ordering platforms become more prevalent, said Patrick Tiquet, Vice President of Security & Architecture at Keeper Security. "It is crucial for these businesses to prioritize cybersecurity to safeguard both customer data and financial assets. Strong authentication practices, such as using unique passwords and implementing Multi-Factor Authentication (MFA), are essential, yet often overlooked. Despite not being the most exciting topics, these measures are vital since 68% of breaches involve the human element, including stolen credentials, phishing attacks, misuse, or simple user errors."
Narayana Pappu, CEO at Zendata, added this:
"Payment networks and point-of-sale (POS) solutions have close to 99.999% uptime. Therefore, outages driven by payment networks, in most cases, should be small. On the other hand, outages related to network connectivity and cybersecurity could be more expensive. If tied with a data breach, it could be quite expensive and result in financial liabilities, loss of customer trust, and a negative impact on a retailer's brand, which could potentially cause millions of dollars in loss of business value.
The key here is for restaurants to identify the weakest link in the process and address it. For the majority of POS systems outages, this has typically been a cybersecurity incident driven by outdated software, bad data handling processes, or a lack of employee education."
