As with any security failure in a restaurant, they can cost business owners the trust of their customers. Cybersecurity is no exception.
According to a recent IBM data breach report, the global average cost of a data breach is $3.26 million—up 6.4 percent from 2017. The average cost for each lost or stolen record containing sensitive and confidential information is $141.
Point-of-sale data breaches are a serious concern for businesses that can lead to a lack of trust from consumers and a crippled system that could cost a fortune to fix. We compiled a list that we’ll keep up-to-date with the latest POS data breaches to help restaurants and their consumers stay protected against past and current threats.
| Dates Affected | Company | Details |
| 2019 | Landry’s | Landry’s, the parent company of over 600 restaurants, casinos and hotels, including Bubba Gump Shrimp, Joe’s Crab Shack, M Grille and Rainforest Cafe, reported that they detected unauthorized access to the network supporting their payments processing systems between March and October of 2019. |
| 2019 | Wawa | Over 800 of Wawa’s convenience stores had POS malware planted in their systems that went undetected for 8 months. The malware is said to have harvested payment information, like names, card numbers and expiration dates. |
| 2019 | Catch Hospitality | Catch NYC, Catch Steakhouse and Catch Rooftop disclosed the presence of POS malware in their systems between March and October of 2019 that searched for track data, which could include cardholder and card information. |
| 2019 | DoorDash | In September, the company announced that a breach—which occurred on May 4 and affected users who created accounts before April 5, 2018—affected 4.9 million customers, delivery workers and merchants who had information stolen by hackers including names, email and delivery addresses, order history, phone numbers and passwords. |
| 2019 | Checkers’ and Rally’s | Malware planted by hackers collected credit card information from systems at over 100 locations. Almost 15 percent of locations were compromised from software that was installed in September of 2018. |
| 2019 | Mudshark Brewing Company & Other Arizona restaurants | An investigation of “suspicious activity” led to the uncovering of dozens of Arizona restaurants having data breaches that may have compromised customers’ personal information. |
| 2018 | Applebees in Ohio | The breach only impacted restaurants within Ohio—not the entire Applebees network. Customers were experiencing credit card fraud and identity theft after visiting the restaurants. |
| November 3, 2017 to January 2, 2018 | Darden Restaurants | Darden was notified that their POS system may have been targeted in a cyber attack statewide. It is believed that the hackers accessed payment information of customers who went to the restaurant from November 3, 2017, to January 2, 2018. |
| 2018 | Dunkin’ | Personal information from the coffee chain’s DD Perks rewards program was compromised in a data breach where third-parties obtained usernames and passwords through external companies’ security breaches. They then attempted to log into some of the DD Perks accounts. |
| May 2018 to March 2019 | Earl Enterprise restaurants including Planet Hollywood, Buca di Beppo and Earl of Sandwich | Two million customer credit cards were stolen between May 2018 and March 2019 from over 100 restaurants belonging to Earl Enterprises. The restaurants, which include Planet Hollywood, Buca di Beppo and Earl of Sandwich, had their POS terminals infected with malware, and the credit card numbers were on sale less than a month later. |
| 2018 | Marriott Starwood Hotels | Hackers accessed their database and copied all of their customer information. Information that was taken included phone numbers, email addresses, passport numbers, reservation dates and some payment card numbers and expiration dates. |
| 2018 | Panera Bread | Panerabread.com leaked customer records in plaintext and Panera temporarily took its site down to resolve the bug. |
| 2018 | PDQ | A hacker was able to gain unauthorized access to their computer systems and acquired the names, credit card information, expiration dates and CVV of its customers. |
| 2018 | Zippy’s Restaurant | The restaurant informed customers that there was a data breach involving its credit and debit card processing system. Information impacted includes the cardholder’s name, card number, expiration date and security code. Customers that shopped online, through their corporate office fundraisers and caterers were not affected. |
| 2017 | Arby’s | Malware was placed on payment processing systems inside certain corporate stores in 2017. The breach did not affect all restaurants and its scope is not currently known. |
| March 24, 2017 to April 18, 2017 | Chipotle | There was unauthorized activity detected on Chipotle’s network that supports in-restaurant payment processing. They believe that payment card transactions between March 24, 2017, and April 18, 2017, may have been affected. |
| 2017 | Huddle House | Hackers used a third-party POS vendor system to access and deploy malware onto Huddle House’s POS systems. They do not know the extent of the breach but warn that customers’ credit card information could be at risk. |
| 2017 | Hyatt Hotels | Hyatt discovered unauthorized access to its payment card information, including credit and debit card information, was stolen from the front desks of several of their properties. Information that was taken included card numbers, expiration dates, internal verification codes and cardholder names. |
| 2017 | InterContinental Hotels Group | Malware was found on payment processing servers which were used at restaurants and bars in the hotel group. Stolen data included cardholder names, card numbers, expiration dates and internal verification codes. |
| 2017 | Sabre Hospitality Solutions | Sabre revealed that there was a breach that allowed hotel customer payment information to be compromised. |
| 2017 | Shoney’s | Credit card companies have received alerts of fraud on customer cards that can be linked back to Shoney’s in 2017. |
| 2017 | Sonic | Sonic learned of a data breach when their credit card processor informed them of unusual activity on their customer payment cards. A “fire sale” was discovered that included millions of stolen credit and debit card numbers on the Dark Web. |
| 2017 | Whole Foods Market | Whole Foods discovered a breach of its payment system that most likely did not affect those who shopped at the company’s grocery stores. It was discovered that unauthorized access took place in locations with tap-rooms and full-service restaurants. |
| 2016 | Noodles & Company | Customer credit card information was compromised due to malware found in their system. Compromised information includes cardholder names, card numbers, expiration dates and CVVs. |
| 2016 | Wendy’s | Wendy’s claims that a third-party service provider had access to it’s POS systems that were hacked. The malware breach was aimed at collecting credit and debit card information. |
| December 2013 | The Briar Group | This restaurant group with 10 restaurants throughout Boston experienced a data breach in December of 2013. Customers started noticing strange activity on their credit/debit card accounts. It was determined that the parent company of these restaurants experienced a system hack and credit card numbers, expiration dates and security codes were taken. |
| 2013 | Zaxby’s | The Southern-based fast-food chain had a computer system and POS breach due to malware and other suspicious files stored locally. The files were designed to collect and transmit credit and debit card information. |
How to prevent a POS data breach
To ensure that your restaurant doesn’t face a similar fate as the restaurants we listed above, we have five tips for preventing a POS data breach.
1. Be PCI compliant
Being PCI compliant means that the vendor complies with the security standard defined by the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an information security standard for organizations that handle branded credit cards from the major card schemes.
2. Actively monitor your POS’ network
Keep a close eye on your POS network for strange traffic patterns. You are able to detect changes in user activity, files and unusual data transactions, etc. before cybercriminals steal your data for good.
3. Reduce insider threats
By organizing routine background checks on employees and creating a policy that outlines information security can help control who has access to data.
4. Use strong passwords
Don’t forget to change any default passwords that are set up by your POS company after installation. These passwords are typically not very secure and can pose a risk to your business. We recommend using complex passwords and unique account names.
5. Encrypt your data
Using a POS that enables data encryption is key to running a restaurant safe from cyber threats. Lightspeed provides restaurants with a best-in-class infrastructure that protects businesses and consumers from the dangers of a data breach. Learn more about our secure system and book a demo with our team today!
Dean Chester, an expert on VPN encryption, states, “Often, data leaks are facilitated by some employees working remotely—for example, from their homes. Their home systems and networks can be quite easy to break into for hackers and if it happens, it will compromise the restaurant system, too. This is why it is necessary to require the use of a business VPN by all remote workers. Without getting too deep into what a VPN is, this technology encrypts the traffic between the employee’s device and the corporate system. Thus, this traffic becomes impossible for a criminal to see.“
At Lightspeed, security is paramount
We understand the central role that a POS system and commerce platform play in your business. That’s why Lightspeed is always working to use the latest and greatest technology and strategies to secure you and your customers’ data. To learn more, talk to our team of experts.
News you care about. Tips you can use.
Everything your business needs to grow, delivered straight to your inbox.
