Countering cyberattacks on restaurants

Last April, a cyberattack hit NCR and its Aloha POS, one of the restaurant industry’s leading point-of-sale (POS) systems. While the ransomware attack did not disrupt in-store purchases, it halted other key operations at restaurants across the country, including online ordering, gift card transactions and back-office functionalities like payroll.

It was yet another reminder of the ongoing work of nefarious online actors and the continuous threat they pose to restaurants.

“Remember that our adversaries run businesses, too, and they want to fuel their own bottom line,” says Gunnar Peterson, chief information security officer at Forter, a fraud prevention technology company.

While any business, big or small, is at risk of a cyberattack, restaurants – from independents to franchises to enterprises – remain a particularly compelling target given the industry’s growing reliance on technology, the large amounts of personal data restaurants often possess and the other more pressing issues (inflation, customer service and labor, for instance) capturing their immediate attention and nudging cybersecurity down the list of concerns.

“There is plenty of valuable data for the taking if it is not adequately protected,” reminds Shelby Menard, an attorney with Plano, Texas-based Spencer Fane LLP who works in cybersecurity and data privacy.

Cyberattacks on restaurants

According to Brady Harrison, director of customer analytics solution delivery at Kount, an Equifax Company, basic ransomware activity like NCR encountered – encrypting or denying access to a system or files until a ransom is paid – remains prevalent, though account takeover attacks are on the rise.

With consumers calling for easy, streamlined experiences, restaurants have increasingly rolled out online
ordering and mobile apps. While such digital platforms appease consumer demand and help eateries secure sales, they also hold payment information, loyalty points and the like, which make them a prime target of fraudsters.

“And if accounts are hacked, the restaurant faces revenue loss, reputational damage and security non-compliance fines,” Harrison says.

Card testing is also becoming more commonplace. This happens when criminals make small, inconspicuous purchases testing the validity of stolen payment information, buying a fountain drink or cookie perhaps.

“Not only does the restaurant lose the revenue from the sale when the cardholder disputes the unauthorized purchase, but the restaurant also pays an authorization fee for an interaction that has no profit,” says Harrison, who has seen restaurants ring up $30,000 authorization bills after getting card tested.

Menard also sees cybercriminals hacking into restaurant POS systems, installing malware and snagging customers’ financial data and other private information.

4 steps to cybersecurity vigilance

As restaurants continue embracing technology and cyberattack risks refusing to budge, vigilance is key to warding off victimization. Though nothing will fully insulate a restaurant from a cyberattack event – after all, unscrupulous actors can be especially crafty and persistent – Peterson says, “A few careful steps will help you outrun the bear most of the time.”

1. Create a risk management plan. A risk management plan includes a continuous cycle of discovering, assessing and remediating any cyber risks, such as regularly updating software, particularly on the POS, and ensuring encryption and firewalls are being used to protect sensitive data. Menard suggests each restaurant
   appoints a specific person to execute this IT responsibility, even if that means overseeing a relationship with a managed service provider as an alternative to in-house IT personnel.
   “No matter the size, all restaurants should have someone conducting and managing their security,” Menard says.
2. Train staff on cybersecurity issues. To minimize risk against scams and cybersecurity threats, operators should alert employees to common cyberattack strategies.
   Menard suggests basic security training for any employee holding a company e-mail address or access to the secure system.
3. Implement strong password policies: Weak passwords like NYCPizza or password123 are among a restaurant’s top vulnerabilities. At the minimum, restaurant leadership should establish password policies requiring a combination of numbers, letters and symbols. Passwords should also be changed every 2-3 months. Even better, restaurants should incorporate multi-factor authentication. A multi-step account login process increases a restaurant’s protection from cybercriminals, Peterson notes.
4. Keep antenna up: Like it or not, cybersecurity demands constant attention and vigilance to spot vulnerabilities or, worse, an attack.

According to Harrison, common red flags for account takeover fraud include multiple failed login attempts over a short period of time, data points inconsistent with a customer’s typical action (like a different device ID or IP address) and unusual activity once the user is in the account, such as changing the payment information or draining loyalty points.

On the card testing side, Harrison encourages operators to look out for a large number of low dollar amount transactions. Once fraudsters detect an easy mark, he says they will act quickly to do as much damage as possible before detection.

“Watch for unusual patterns, such as multiple transactions from the same IP address or device, an unusually high authorization decline rate or a sudden spike in chargeback rates,” Harrison says, adding that a service provider native to the restaurant’s POS or customer relationship management software can help a restaurant regulate risk.

What should a pizzeria do if it suspects a cyberattack?

While a proactive approach to cybersecurity is a restaurant operator’s most important cybersecurity step.

“You don’t want to be looking for buckets when your house is on fire,” Brady Harrison of Kount reminds.

Online criminals can be a clever bunch capable of hurdling even the most well-designed safeguards.

If a pizzeria suspects it has been compromised, Harrison suggests leaning on the expertise of providers to mitigate the attack’s damage. The restaurant’s ecommerce provider, for example, might have a baked-in solution or a plugin to an order management system.

Pizzerias should also have the ability to operate offline for a bit in “limp mode,” Forter’s Gunnar Peterson says. That way, the eatery can continue serving customers as opposed to shutting down the shop until a resolution arises, which compounds a cyber event’s negative impact.

Finally, restaurant leadership should alert local law enforcement as well as the eatery’s cyber insurance provider. A breach attorney, in particular, can provide critical assistance in helping a restaurant navigate a complex, unfamiliar problem.

DANIEL P. SMITH Chicago-based writer has covered business issues and best practices for a variety of trade publications, newspapers, and magazines.