Many of the companies that install point-of-sale systems for small businesses neglect to set up unique passwords. When hackers find one that works at a particular franchise of a chain restaurant, they add it to the list, and often find it works at dozens or hundreds of others as well. In one of the few cases that registered on the national news radar, a Romanian gang allegedly poached credit card information from 200 Subway sandwich outlets in the United States over three years.
Once they tap into the servers, hackers often install programs to log credit card numbers. After they get the numbers, the shrewder criminals don’t use them right away. Instead, they bundle and sell them on the black market. Verified numbers fetch more than unverified ones; those with names attached fetch more still.
Customers don’t learn their information has been compromised until weeks or months later, when their banks flag purchases as suspicious. Even then the banks can’t always tell where the breach originated. And when restaurant owners do find out they’ve been hacked, some, like Harry Trubounis of SideBar 410 in Dayton, Ohio, are scrupulous enough to email their regular customers and notify them. Those are the ones that occasionally end up in the local newspaper. “I wanted to be extremely proactive in dealing with it,” Trubounis told me. But not all restaurant owners want to risk the bad publicity, even if the breach wasn’t really their fault.
Not all cybercrimes happen exactly like this. Sometimes hackers use proximity or special knowledge to target an individual business. For instance, they’ll sit down in a café, order a latte, and proceed to log into the coffee shop’s unsecured point-of-sale system through its free Wi-Fi network. Or, in somewhat rarer cases, they enlist an employee to help them. Verizon estimates 4 percent of all data breaches are inside jobs. And yes, your smiling waiter will occasionally betray you by taking down your information when you’re not looking. These days they use skimmers. But it’s hard to do that for long without getting caught, especially if you’re using the cards to make purchases locally—as a ring of thieving waiters at fancy New York restaurants recently discovered.
But more often, it’s not your waiter who’s ripping you off. It’s a junkie in Maryland allegedly hacking Seattle restaurants’ servers to score heroin money, Russian thieves hacking restaurant wholesalers, or unknown miscreants hacking Jumper’s Junction sports bar outside of Pittsburgh or a Chili’s on Yokosuka Naval Base in Japan.
Security analysts say restaurant owners and the companies that install their point-of-sale systems are becoming more aware of the danger of credit card thieves. Scott DeFife, an executive vice president at the National Restaurant Association, told me his Washington, D.C.-based group makes an effort to educate its members about the risks of cybercrime. And compared with the size of the U.S. restaurant industry, which employs 13 million people, the scale of the problem is relatively small: probably hundreds of breaches each year, affecting perhaps hundreds of thousands of customers.
Yet the Verizon report suggests business owners could still be doing a lot more: 96 percent of all data-breach hacks were “not highly difficult”—up from 92 percent last year. The number was enough to spur Verizon to take an unusual step this year. On Page 62 of its report, it includes a cut-out section with simple tips for securing point-of-sale systems and encourages customers to hand it to the managers and owners of their favorite local haunts. At the bottom it says, “For more information, visit www.verizon.com/enterprise/databreach (but not from your POS).”