Foodservice companies are among the most prime targets for computer hackers, according to a recent report by a security services firm.
Food and beverage companies were associated with 57 percent of the more than 220 data system breaches investigated last year by Chicago-based Trustwave. About half of the foodservice companies with system breaches operated five or fewer locations.
Eighty-five percent of the incidences investigated involved payment card data, the firm found.
In its 2011 Global Security Report released Wednesday, Trustwave also found that hackers are increasingly targeting mobile users as companies improve the security on their data networks. Mobile device offer criminals easy access to corporate authentication credentials, sensitive data and trade secrets, Trustwave said.
“Social networking sites are quickly becoming cybercriminals’ platform of choice to expand and propagate destructive botnets,” the firm said in its report.
A breakdown of the types of industries with data breaches investigated by Trustwave in 2010:
Another key finding of the report is that third party vendors continue to put client companies’ data at risk, said Nicholas Percoco, senior vice president and head of SpiderLabs, a division of Trustwave. Of last year’s data breaches, 88 percent resulted from insecure software code or lax security practices in the management of third-party technology, Trustwave said.
McDonald’s Corp. is one of the restaurant companies in recent years to face data breaches through third-party vendors. In December, the company disclosed that the e-mail addresses, phone numbers and other personal information of customers who had signed up for e-mail and website promotions had been stolen from the data systems of a subcontractor of an outside company hired by McDonald’s to manage those promotions.
Several Louisiana restaurateurs filed a lawsuit in late 2009 against a major point-of-sale system software company and its approved regional systems integrator contending that the theft of customer payment card data from their POS systems stemmed from the failure of the integrator to follow standard security precautions while setting up or maintaining their systems. The suit was eventually settled out of court.
Trustwave said that in 87 percent of data breaches involving POS systems, third-party integrators used “some form of default credentials with either remote access systems or at the operating systems layer.”
SpiderLabs’ Percoco said that while the third-party system integrators often hired by restaurants to support POS systems are “technically savvy,” they “may not be sophisticated in password or logon” administration, among other security shortcomings.
Trustwave also noted that “POS systems continue to be the easiest method for criminals to obtain the data necessary to commit payment card fraud.”
Trustwave offered tips for operators to improve their data security:
• Take inventory of software applications and develop a method for evaluating risks related to those applications, communicating those risks and rapidly patching applications when required.
• Embrace social networking, but educate staff by establishing a policy about what company information can be shared and how employees can protect themselves and the company from social network based attacks.
• Develop a mobile security program by evaluating the various devices and operating systems used by employees to identify and phase out those that cannot enforce enterprise profiles.
• Enforce security standards among third-party service providers, either alone or with the help of outside security experts and, whenever feasible, in contracts.
Trustwave’s full Global Security Report is available at https://www.trustwave.com/GSR
Contact Alan J. Liddle at [email protected].