The Most Vulnerable Areas for Restaurant Cyberattacks & Data Breaches

Headlines regarding data breaches have become all too familiar. In January 2023, Yum! Brands, the parent company to KFC, Pizza Hut, and Taco Bell, announced a ransomware attack that caused the closure of about 300 restaurants in the U.K. While no customer data was at risk, some of the company’s employees’ personal information may have been exposed. 

In March 2023, Chick-fil-A reported a cybersecurity breach that compromised its mobile app, with more than 71,000 app users affected. Just this year, some of the big brands to experience a data breach include Twitter, PayPal, MailChimp, T-Mobile, JD Sports, Sharp HealthCare, Weee!, Optus, Reddit, Atlassian, Activision, US House of Representatives, ChatGPT, Western Digital, and Micro-Star International. 

According to IT Governance, the most common security incident in the first quarter of 2023 was cyberattacks, including phishing and malware. So, as a restaurant, how do you protect your customers, staff, and business? Let’s explore the latest breaches and how restaurants are responding. 

Targeting Your POS System

Hackers look to access systems that hold the most data. That’s one of the reasons why POS systems are often a target. If cybercriminals can get into the system, they can install malware and gain remote access to private information. 

In the last several years, restaurants like Applebee’s and Checkers’ and Rally’s have experienced data breaches that compromised customer records. In April 2023, restaurants around the country were left dealing with the effects of a ransomware attack on NCR, a supplier of restaurant POS systems. 

The attack disabled an NCR data center, affecting businesses using NCR’s Aloha cloud-based services and Counterpoint systems. The good news was that the breach did not interfere with in-house purchases or transactions. The bad news was that it disrupted Aloha POS apps used for online ordering and affected administrative functions like payroll. 

This left some restaurants unable to accept gift cards, access administrative tools, or use Pulse, NCR’s data dashboard. For example, Restaurant Business reported on Copper Door Restaurant’s Facebook post in Bedford, NH, “We apologize to our guests as our locations may not have the ability to accept Gift Cards or Copper Club [loyalty points]. This is a nationwide NCR outage that we, unfortunately, do not have control over.”

Targeting Your App

Over the past five years, online ordering has increased by over 20% and, for some restaurants, represents a significant share of their sales. As more customers expect the ease offered by enhanced technology, more restaurants are using mobile apps to order and make payments and improve the customer experience. 

Modern Restaurant Management reported on NowSecure’s evaluation of over 450 mobile apps. They found security risks in all apps, with 64% having privacy risks. Common issues included insecure data storage and network communication. They also noted that hackers could take over the mobile app.

Chick-fil-A’s compromised mobile app exposed sensitive data, including names, phone numbers, email addresses, and banking information. The company provided instructions for customers who noticed suspicious activity on their accounts. This includes using a complex password, removing stored payment methods, and reporting suspicious activity to Chick-fil-A and unauthorized transactions to their financial institution.

Protecting Your Restaurant’s Data from Cyberattacks

One of the mistakes that are easy to make as an independent restaurant is to consider yourself a small fish in a big sea. Today, however, restaurants make an enormous amount of data using POS machines, online payments, and more, resulting in plenty of valuable information. 

Even their bank accounts are at risk. Johnny Pistolas, an LA-inspired taqueria located in Adams Morgan in Washington, DC, had over $476,000 stolen from their company bank accounts in about eight hours in increments of $25,000 at the end of 2021. They recommended restaurants stay up to date on all security procedures.

Some steps to take include ensuring your website is encrypted and up to date and has a robust firewall. Employee training is also critical, as many criminals get in through phishing scams that arrive via email or phone calls. In fact, phishing is present in a majority of breaches. 

Operating systems should also be updated and supported, and modern technology should possess end-to-end encryption. Securing your app may involve penetration testing, automated security testing, monitoring for regulatory compliance, and more. 

No industry is immune to growing cybersecurity threats. Unfortunately, one incident can damage a brand’s reputation and revenue. Fortunately, there are precautions you can take to safeguard your business, customers, and employees. If you’re uncertain how secure your business is, a risk assessment may be warranted. Today, you can also get protection via cyber liability insurance.


What is the most common cyberattack for businesses?

According to Expert Insights, phishing attacks are the biggest and most damaging threat facing small businesses.

Do restaurants need cybersecurity?

As restaurants become more dependent on technology, protecting their businesses, customers, and employees becomes more important than ever. Risk assessments can help determine any vulnerabilities before a cyberattack occurs.

  • Subscribe to our latest insights


Are you capital raise ready?