Dining and Data Breaches

man at cashier station payment terminal

Americans love going out to eat, and with the serious profit potential for stolen records, it’s no wonder that restaurants are increasingly targeted by hackers. Has your favorite fast food or fine dining restaurant been hacked?

Hackers have been increasingly going after point-of-sale (POS) systems, which is where a cashier completes a transaction for the customer. As history has shown, many companies have not sufficiently secured these systems, making them highly vulnerable and highly profitable to hack. In fact, it was just such a POS system that criminals ultimately accessed in the notorious Target breach a few years ago. Restaurants also use POS systems, and are now a tasty target for criminals.

In 2014, restaurant chain P.F. Chang’s was notified by the US Secret Service of a data breach involving customer credit card information. Following this, the chain suffered a series of legal setbacks, including a ruling that their cyber insurance policy did not cover the breach, and a class action lawsuit again the restaurant by affected customers.

Since then, numerous breaches have occurred around the country: an O’Charley’s restaurant in Atlanta, Georgia; CiCi’s Pizza restaurants in several towns in Texas;  Popeye’s restaurants in several states; over 300 restaurants owned by Landry’s across the US; Wendy’s, Arby’s, Shoney’s, Chipotle, the list goes on.

It’s not just POS systems that are at risk: this past week, popular restaurant finder app Zomato disclosed that hackers had stolen some 17 million user accounts. According to the Motherboard article about the incident, the hacker agreed to destroy the data as long as the app instituted a bug bounty program.

As long as POS systems remain vulnerable, hackers will continue to target retail and restaurant locations. In the meantime, diligent diners should always review credit and debit card statements regularly, as customers are often the first to notify financial institutions about fraud.

A related important issue, is who is responsible for the breach?

Particularly with retail and dining establishments, assigning responsibility for a data breach involving credit card information is more difficult that at first glance. In order to process payments, businesses rely on a number of vendors at every step of the process, from the telecommunications companies providing the internet and phone lines necessary for a modern point-of-sale (POS) system, to the vendors who provide the POS systems, to the credit card processing companies, to the card companies themselves. If malware infects a POS system and causes a data breach, who should be responsible? The company who was selling the good or service? The vendor who provided the POS system? The credit card companies? Each has a hand in every transaction, but as it stands now, legal responsibility generally falls on the company selling a good or service. But that’s hardly any consolation for the average consumer.

Credit card companies still bear a large financial burden for cyber fraud, since consumers generally are protected from fraudulent charges as part of their credit card agreements, which means credit card companies either have to absorb the cost, or attempt to get the money back from the retailer or vendor where the fraudulent activity originated. One article estimated that fraud and identity theft together cost nearly $16 billion in 2016. Credit card fraud continues to be a very lucrative field for criminals.

Consumers ultimately end up with the short end of the straw when it comes to companies and data breaches. With very few means to realistically assess whether a company has secured private and confidential data, consumers are left to trust that whenever they make a purchase, the company has put data protections in place. Unfortunately, the game of liability musical chairs, coupled with the lucrative market for data records of all kinds makes everyday purchases akin to swimming with sharks. The government hardly has a better track record, and legislation and policy has been slow to catch up with the explosive growth of both e-commerce and cyber crime.