Dive Brief:
- Delivery company EatStreet has disclosed a security breach within its system that occurred from May 3-17. According to Security Today, the hacker accessed the company's database, which includes information about delivery and restaurant partners, such as names, phone numbers and bank accounts. Some customers' names, addresses, emails, phone numbers and payment card information was also accessed by the hacker, believed to be Gnosticplayers.
- In response, EatStreet reinforced its multi-factor authentication, rotating credential keys and is reviewing and updating coding practices.
- EatStreet exists in over 250 cities and partners with over 15,000 restaurants, illustrating the potential breadth of this breach.
Dive Insight:
Restaurants are becoming growing targets for hackers. The heavily-franchised model of the restaurant industry adds a significant amount of vulnerability for security breaches, as point-of-sale systems tend to be disparate and outdated. This vulnerability is compounded when considering the swift increase in online ordering. According to a report from cybersecurity firm Shape Security, 80% to 90% of consumers who log into a retailer's e-commerce site are hackers using stolen data.
The cyber target becomes even bigger when considering restaurants' increasing dependence on third-party services, like delivery aggregates and reservation apps, which creates an additional entry point for hackers to access customer data. Improperly securing data could not only harm the reputation of the delivery company, but could also turn customers away from the restaurant. Most consumers who receive a bad delivery experience often blame both the restaurant and the delivery company, even if the issue falls squarely on the delivery company.
And the risk is only growing. In 2016, when EMV point-of-sale adoption took place, cyber attacks on food delivery companies increased by nearly 50% compared to the year before, according to the Merchant Research Council.
Opus' recent Ponemon Institute study shows that 61% of U.S. companies have experienced a data breach caused by their vendor or third parties. In a press release, Opus VP Dov Goldman said the third-party ecosystem is an ideal environment for cyber criminals because it's large and complex. This risk is expected to grow as the space grows.
Further, Opus said that on average, companies typically share confidential and sensitive information with about 583 third parties, but just over a third have a detailed list of those vendors, PYMTS.com reports.
In other words, this type of third-party breach may turn some restaurants off of EatStreet for now, but the risk is potentially as high with another vendor in the space. The bigger challenge for restaurants, then, is to be more proactive and strategic with their security measures, and also mindful and stringent with their technology partners' programs.