Restaurants have come a long way on technology in recent years. The pandemic made things like online ordering and digital loyalty programs commonplace and opened the door to new frontiers like AI and machine learning. Once viewed as a tech laggard, the industry has become decidedly tech-dependent.
But what looks like progress to restaurants can look like a bullseye to criminals. The industry’s build-up of technology has left restaurants more exposed to hackers bent on squeezing companies for ransom or stealing data that can be sold on the dark web.
Cyberattacks are common, costly and, according to experts, almost impossible to fully defend against. Just about every business is at risk, but the restaurant industry is in a particularly vulnerable position. The proliferation of tech in restaurants has created more entry points for hackers, and because this tech tends to comprise a patchwork of apps and vendors, a unified front can be difficult to coordinate.
Plus, the industry appears to be trailing other sectors on cybersecurity. A 2022 report from insurance provider Hiscox Group concluded that food and drink companies are the least-prepared for a cyberattack because they were far more likely than other industries to fold to hackers’ ransom demands. This year, just one restaurant made it onto Forbes’ ranking of the 200 most cybersecure companies in America: In-N-Out, at No. 176.
Simply put, “restaurants are a target because of the ease of being able to do it,” said Stephanie Benoit-Kurtz, lead cybersecurity faculty at University of Phoenix College of Business and Information Technology and regional security director for tech consultant Trace3.
Cyberattacks threaten both big chains—which have more revenue and data to exploit—and small operations, which tend to have weaker cybersecurity measures. And the stakes for both could not be higher.
“It has the ability to shut down a business if it’s not managed or taken seriously,” said Pankaj Patra, the newly hired CTO of Denny’s. In his former job as CIO of Brinker International, Patra helped guide the Chili’s owner through a cyberattack in 2018. Cybersecurity still keeps him up at night.
“This is something I am probably going to lose my sleep on, because it not only affects the brand reputation but it also can shut down the business,” he said.
That’s why it is becoming a bigger priority for many restaurant companies as they enter a new age of digitization.
“It’s in the top of mind of every board of every company,” said Jeff Caplan, CIO of Hooters of America, during the FSTEC conference last month. “It’s a business discussion, not just a technology discussion.”
By all accounts, cyberattacks are becoming more common, more sophisticated and more costly. Just last month, an attack on MGM Resorts disabled slot machines, ATMs and guests’ room cards for days and ultimately cost the casino giant about $100 million. A simultaneous attack at Caesars Entertainment prompted the company to pay a reported $15 million in ransom.
But many of these towering attacks start with a simple email.
According to IT services provider AAG, nearly half of all emails sent in 2022 were spam designed to get people to hand over passwords or other identifying information. These scams, known as phishing, are the first step in more than 90% of cyberattacks, according to the federal Cybersecurity & Infrastructure Security Agency. Cutting them off is one of the best things a restaurant can do to protect itself.
“Email security is super, super important,” said Benoit-Kurtz. “[Train] your employees to understand what to look for. If they see something that looks odd, say something.”
A successful phishing attempt gives hackers a foot in the door to a company’s tech network. From there, they can burrow deeper and install disruptive software known as malware. One of the most common forms of malware is ransomware, which locks down a company’s system until they pay to release it.
Ransomware incidents are up 37% in 2023, according to security software firm Zscaler. In September alone, there were 70 such attacks reported worldwide, according to a tally kept by cybersecurity company BlackFog. It was the most in a single month since the company began tracking attacks in 2020.
One reason for the increase is that hackers are getting more efficient, Benoit-Kurtz said. Fifteen years ago, a cyberattack might have involved a single bad actor manually gaining access to a company’s systems. Today, “it’s orchestrated, it’s automated,” she said. “In a lot of cases, they’re using AI and all kinds of bots and different types of tools to go after these things.”
That means that large organizations “are literally being pounded on their firewalls, through email, through different avenues, millions of times a day,” she said.
That includes restaurant companies. At least four chains or suppliers have been hit with attacks this year: Yum Brands, Five Guys, food distributor Ben E. Keith and POS provider NCR. And that doesn’t include the many attacks that go unreported, which account for the vast majority, according to BlackFog.
The attack on Yum, the owner of Taco Bell, KFC and Pizza Hut, forced it to close about 300 U.K. restaurants for one day. The company did not reveal how much the attack cost, but in an SEC filing, it reported that its corporate and unallocated G&A expenses were up 25% year over year through June, in part due to costs associated with the attack.
Yum was later sued by employees whose data was compromised. Five Guys also faced a class-action lawsuit after staff social security numbers were accessed by hackers. Lawsuits like these are common in the aftermath of cyberattacks.
The April attack on NCR, meanwhile, disabled one of its data centers and left restaurants unable to access payroll and other administrative systems. Recovery efforts ultimately cost the company $11 million, according to SEC filings.
While there is no way to be 100% impenetrable to hackers, there are many things restaurants can do to manage their risk and limit the damage if an attack does happen.
The best place to start is by making a plan, Patra said. When Brinker discovered an attack that exposed customer payment data in 2018, it immediately put into motion an emergency procedure that outlined what every department in the company should be doing.
IT, for instance, was responsible for containing the attack, while the PR team worked on how to communicate the news, Patra said. The company notified guests whose data may have been impacted and alerted the appropriate law enforcement agencies and the banks involved.
Each step of the process had been codified in advance, so when the day came, Brinker was following directions rather than scrambling.
“Having a plan is so critical for this whole thing,” Patra said. “Once you have the plan, and in the unfortunate event that you get into some of those things, you start thinking about, ‘OK, how do you stick to the plan and execute it?’”
Patra also recommended conducting regular tabletop exercises that simulate a cyberattack, allowing teams to role-play their response. Importantly, those dry runs should include a restaurant’s tech and services vendors, because they can be involved in an attack, too, Patra said.
Businesses should also have a way to continue operating if and when tech systems are shut down, Benoit-Kurtz said. That could include investing in additional payment gateways or creating an immutable backup of POS data—essentially a copy that can’t be overwritten or encrypted by hackers.
But simply having a plan and a backup won’t be enough to prevent attacks in the first place. In the wake of its 2018 breach, Brinker also upgraded its defenses. It invested in endpoint protection software that monitors its system for unauthorized or malicious activity. And, suspecting that the break-in had started with a phishing email, it put a “hyper-focus” on email filtering, including adding software that corrals non-work-related emails.
It also stepped up its education for staff. Every quarter, Brinker sends a mock phishing email to a group of employees to see who clicks on it. Those who fall for it multiple times have to do additional training, Patra said.
For smaller restaurants that may not have the resources to do all of the above, there are even more basic steps that can be taken, like making sure passwords are strong.
Chris Breeden, owner of Arnold’s Bar & Grill in Cincinnati, learned that lesson the hard way last year when hackers gained access to his personal Facebook account and took control of the attached business page for Arnold’s.
They were able to get in, he said, because he had been using the same password for everything. He was then locked out of Arnold’s Facebook and Instagram accounts, leaving him unable to use the restaurant’s primary marketing channels for a month.
“If you take that away, it’s the most important advertising aspect of my business,” he said, estimating that he lost thousands of dollars as a result. Other restaurants in the area were hit with the same attack, he said.
His advice: “Change your password as soon as you’re done reading [this] article. Because there’s a good chance your password has been compromised.”
He also recommended setting up two-factor authentication wherever possible. That requires a user to give two forms of identification—typically a password and a PIN sent to their phone or email—when logging on to an app or website.
Restaurants can also buy cybersecurity insurance. Coverage often includes additional support like an incident response team, a forensic team, legal counsel and even PR and crisis communication, said Christopher Ham of cyber insurance broker CoverWallet.
The insurance can be relatively inexpensive. For the average small- to medium-sized business, coverage costs between $1,000 to $1,500 a year, Ham said, while the average claim is $100,000 to $300,000.
Ham said he has seen more demand from restaurants for that insurance recently. “Restaurants are becoming more aware of the growing number of cyber incidents,” he said. “So in most cases, most restaurants come to us before they have a claim.”