US food chain Wendy’s was hit by a massive cyber attack early in 2016. At least 1,025 of its restaurants were targeted – with debit and credit card information stolen. Malware had been installed on point-of-sale systems in the affected locations. Wendy’s has blamed a third-party for the intrusion, saying a service provider that had remote access to the till systems was compromised.

In May 2016 a Government survey found that nearly 7 out of 10 attacks on firms involved viruses, spy ware or malware.  It also found that while one in four large firms experienced a breach at least once a month only half of all firms had taken any recommended actions to identify and address vulnerabilities.  Even fewer, about a third of all firms, had formal written cyber security policies and only 10% had an inbuilt management plan in place.

Technology driving security vulnerability

Restaurants are becoming more vulnerable to cyber attack as a result of embracing the new technologies demanded by consumers. This is particularly the case when technology is cloud-based (with questions to be answered over where the data is stored and who owns it). The fact that restaurant companies process millions of credit card transactions increases susceptibility, as does the increase in third parties becoming involved in handling of data.

Security gaps can open up as customers increasingly use apps to check table availability and make reservations via a mobile device. Loyalty programs are now being integrated with reservation systems to capture sensitive customer data, putting even greater onus on operators to protect data.

The demand for new services such as food delivery from restaurants opens up a wealth of customer data, including payment information, to third party delivery providers. It may become increasingly difficult to control who has access to this data, as it is quite possible these third parties may be sharing sensitive data with other parties, or not storing it securely themselves.

Other innovations, like self service technologies allowing customers to place orders in restaurants and pay without the intervention by staff, may be managed by outsourced providers. Again, they are capturing data about customers, including more general information such as dining preferences, but also sensitive credit card data taken during the payment process.

The human factor

But restaurant operators should not lose sight of the fact that a major weakness in data security comes down to humans, being an industry that is reliant generally on lower cost labour, which can lead to high turnover and protocols not being followed. It is still the case that credit cards can leave a customer’s sight while being processed, and credit card transactions can be enacted over the phone for takeout orders.

Operators should consider access to data by employees and franchisees, as well as supply chain partners and other third parties, and how this is monitored and managed. As more restaurants become franchisee-operated, risks can increase unless franchisees work under strict parameters and standards when it comes to deployment of technology.

Action you should take

There are sound business reason for bolstering your IT security, whether it means protecting the bottom line from the costs that can be incurred as a result of a security breach, or maintaining brand reputation and avoiding the kinds of potentially ruinous publicity that can result where guests discover their personal details have been hacked as a result of a visit at your establishment. In today’s connected world, bad publicity is often exacerbated by social media and online communication forums that rapidly spread news of cyber attacks.

There are several steps that a business can take to improve the security of its IT systems and these include:-

  • Having a cyber risk management policy and ensure that this is part of the company’s governance framework
  • Defining roles and responsibility and oversight;
  • Conducting a regular risk assessment and acting on the results where vulnerabilities are highlighted;
  • Adequate training and employee awareness so that staff are adequately trained on all relevant policies and procedures;
  • Continuously monitoring and where relevant introducing safeguards such as:
    • limiting the number of computers and devices that store sensitive information;
    • ensuring the Wi-Fi network uses a secure wireless connection and an effective firewall;
    • Use encryption for storing, receiving and transmitting data;
    • Making sure any suppliers who use your IT systems have appropriate security procedures themselves
  • Insurance and it may be that specific cyber insurance is appropriate after considering the extent of coverage already provided for cyber risk under existing insurance policies, being careful of the exclusions or conditions that could prevent payout in the event of a claim.

When considering insurance, it is important to make sure that you have sufficient limits to cover each of the costs and liabilities you potentially face.

For advice on cyber risk in the hospitality industry and strategies to protect your business please contact Nigel Gardner.


The content of this page is a summary of the law in force at the present time and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.