21 May, 2015
Cybersecurity breaches against retail companies have been heavily discussed in the last year. The food and beverage industry is very similar to retail, using the same technologies that have gotten retail companies – such as Target and Home Depot – in hot water. The recent breaches of Cafe de Coral and Biggby Coffee demonstrate that cybercriminals are not just attacking point-of-sale systems, they are attempting to hack any weakness they can find.
In the attacks of Cafe de Coral and Biggby Coffee, hackers were able to exploit vulnerabilities in these companies’ loyalty and bonus point programs to achieve a data breach.
"With financial institutions gradually recognizing the need for cybersecurity, hackers are aiming for weaker points in the payment process instead," said Chia Ling Koh, Partner, Intellectual Property and Technology Groups of ATMD Bird & Bird. "The situation is likely to worsen with the proliferation of loyalty programs and stored value mobile transactions that may not even involve financial institutions."
We had the opportunity to speak with Ling about the cybersecurity of food and beverage organizations, why these companies have such a big target on their back, the types of attacks used against them, and Chip and PIN.
Our edited conversation follows.
Do cybercriminals see food and beverage organizations as low hanging fruit?
The food and beverage sector is a frequently compromised industry, second only to retail. The Trustwave Global Security Report 2014 said that 35 percent of breaches came from the retail industry while 18 percent came from the food and beverage industry. The Trustwave Global Security Report 2013 noted that both the retail and the food and beverage sectors were "almost interchangeable, with similar network layouts due to the payment systems and software vendors used." If the retail sector is frequently compromised, it is not surprising that the food and beverage sector is also frequently compromised.
Why have food and beverage organizations become such a large target?
The food and beverage industry tends to have very high transaction volumes where low-valued exchanges happen frequently. It is also a large customer base. This means that the industry’s IT systems process and transmit a significant volume of sensitive data.
The food and beverage industry has limited resources and is largely unregulated. These organizations are less likely than financial institutions to focus on cybersecurity, nor deem cybersecurity a worthwhile usage of their already limited resources.
For example, food and beverage franchisees are often required to use information technology defined by the franchisor. Landlords frequently dictate the IT accounting systems used by their tenant outlets. This means that a security exploit which works against one franchise branch or tenant outlet will likely also work against all other franchise branches or tenant outlets – making it easy to replicate the exploit at other locations.
What is the most common attack vector against food and beverage organizations? Is it similar to retail breaches?
The Trustwave Global Security Report 2014 said that e-Commerce seems to be the most common attack vector, accounting for 54 percent of the investigate breaches. Point-of-sale breaches came in second and accounted for 33 percent of investigated breaches.
For the food and beverage industry, point-of-sale breaches may indeed be the most common attack vector. There have even been reports of fake point-of-sale devices masquerading as real devices. When unsuspecting vendors use them to affect card payments, the payment card’s details are extracted.
What kind of security is lacking in the food and beverage industry?
The cybersecurity of a network is only as strong as its weakest link. It only takes one weakness to infiltrate an entire network. One very important security weakness in the food and beverage industry is the people factor. Staff at all levels – especially those having access to password-protected systems – are susceptible to social engineering.
Educating employees on the importance of cybersecurity can go a long way towards ensuring that the company’s systems are not easily compromised. Still, social engineering is not a phenomenon unique only to the food and beverage industry.
The advent of new payment systems – such as NFC and mobile phone applications – have opened up new avenues which cybercriminals can take advantage of. The recent Starbucks mobile phone application breach in 2014 shows that this is not a remote possibility. Security measures specifically relating to this such as encryption of customer card data on vendors’ registers and computers is also an issue.
Will the food and beverage industry benefit from Chip and PIN?
In general, any sort of added security would certainly benefit the food and beverage industry. Chip and PIN apparently is improved security over conventional magnetic strip payment cards or contactless payments. However, companies must be careful not to become complacent and neglect other forms of cybersecurity merely because they utilize Chip and PIN.
Having said that, the food and beverage industry needs to weigh the benefits against the cost. Chip and PIN required the customer to take an additional step in payment, and the current trend is to do away with as many unwarranted steps as possible when making a payment.
Can you provide some tips or advice for these companies concerning their cybersecurity?
Food and beverage companies cannot underestimate the importance of the security of their payment systems. This is a prime target for cybercriminals due to the large volumes of transactions and having a relatively weak security system.
There are now over 100 countries that have data privacy laws in place that impose obligations on companies to protect the personal data collected from customers. A cybersecurity breach may cause companies to suffer financial and legal consequences under these laws due to a failure of fulfilling these obligations. Regulators – like the Federal Trade Commission – keep tabs on cybersecurity breaches in the industry.
Governments are also introducing new laws. President Obama recently proposed the Personal Data Notification & Protection Act. This shows that the protection of customer’s personal data is becoming a federal priority. Companies should seek legal advice to understand their regulatory obligations.
For further information, please contact:
Chia Ling Koh, Partner, Bird & Bird
chialing.koh@twobirds.com