Sonic's $4.3M settlement highlights data breach challenges

Dive Brief:

Sonic Drive-In customers won a $4.3 million settlement last week stemming from the chain’s 2017 credit card data breach. The breach affected 325 Sonic locations across the country, according to Law360.
The malware attack exposed credit and debit card information of customers who ate at franchise-owned Sonic locations between April 7 and Oct. 28, 2017. Ninety percent of Sonic’s system is franchised.
Sonic is one of a string of restaurant companies that have suffered breaches recently. In the past two years, Panera Bread, Applebee's, Cheddar's Scratch Kitchen, Chipotle, Wendy's and Arby's have all been compromised.

Dive Insight:

The Sonic Drive-In settlement indicates that consumers are ready and willing to fight back against data breaches, and for good reason. A quick glance at the number of breaches within the past two years shows this crime is on the rise. According to Business Insider, at least 16 retailers have been hacked since January 2017.

About 54% of all quick-service restaurants in the U.S. are franchised, generating nearly 70% of sales. The heavily-franchised model of the restaurant industry adds a significant amount of vulnerability for security breaches, as point-of-sale systems tend to be disparate and outdated. This vulnerability is compounded when considering the swift increase in online ordering. According to a report from cybersecurity firm Shape Security, 80 to 90% of consumers who log into a retailer’s e-commerce site are hackers using stolen data.

Improving POS security isn't an easy fix, either. Franchisees are typically on the hook for updating their payment technologies, which can be a significant investment on top of other headwinds, such as higher labor costs.

But it can be even costlier to not update POS terminals to include encrypted, chip-enabled technology. Dated systems are easy targets for hackers. And if hackers find success with one franchised system, what’s to stop them from going after another?

Franchise-heavy restaurant chains should consider updating their policies to mandate chip-enabled POS systems, and kick in some funding to help expedite the process if necessary. Franchisers would also be savvy to facilitate a systemwide analysis of their systems to identify cybersecurity risks and invest in cybersecurity insurance. Providing cybersecurity training for employees and developing a crisis response plan to have in place should a breach occur can also help protect chains.

Such prioritization is worth it when considering the potential financial burdens of a breach — such as Sonic’s $4.3 million settlement — and more critically, the reputational risks. According to a study by KPMG, 19% of customers said they would stop visiting a brand if a breach occurred, and 33% said they would take a break from the company for an extended period of time.

Even if a million-dollar class action suit doesn’t arise, Varun Badhwar, CEO and co-founder of security firm RedLock, told QSR Magazine that the average cost of responding to data breaches is more than $150 for each piece of compromised data. “You have to believe you are going to be targeted,” he said. “It’s not a matter of if, it’s a matter of when. So, proactively you need solutions.”