Dive Brief:
- Dunkin' has reported a data breach with its DD Perks mobile rewards program that occurred on Oct. 31, according to a company statement. Third-parties may have gained access to names, DD Perks account numbers, usernames, passwords and email addresses. The statement did not mention any impact to credit card accounts linked to the program.
- The company believes hackers gained access to accounts through data breaches from other companies and used similar credentials to log into online accounts, including DD Perks.
- Dunkin's security provider was able to stop most of these attempts, but it is possible that some hackers got through. Impacted customers have been notified and passwords were reset. Any breached DD Perks cards have been replaced with new account numbers.
Dive Insight:
While data breaches are nothing new to the restaurant industry, they typically impact POS machines instead of online rewards programs. But restaurants and delivery services are increasingly being targeted for online payment fraud, according to Fast Casual.
In 2017, for example, a flaw on Panera's website leaked customer information for at least eight months until it was fixed in April. Anyone who ordered online could have had their name, address, birthday and partial credit card information exposed.
Dunkin's data breach likely only impacted a small percentage of customers, as hackers never breached its internal systems. The company advised customers to make sure they do not reuse the same username and password across different online accounts, and is working with law enforcement to help identify and apprehend the perpetrators.
Quick-service restaurants are particularly vulnerable to data breaches, especially since franchises tend to be small business owners who many not understand the need for security protocols, according to QSR Magazine.
The risks here are high — data breaches can hurt a brand's reputation and turn customers away, especially if there are multiple breaches. Data breaches can add up, too. Each piece of breached data cost about $150. A breach of one million records can cost a company $40 million, according to Forbes. Sonic learned this all too well last year after millions of credit and debit cards were stolen from a number of POS machines throughout the country and were quickly put on the dark web for sale.
Restaurants should make sure they are using chip card readers, train staff on what to look for to prevent a breach and have a plan in place for what to do after a breach occurs. Although most of the attention gets paid to breaches from well-known brands, small and midsize companies also are vulnerable to attacks on their POS machines.
