Franchise Data Breaches: Risking the Brand for Franchisee Autonomy
Home Depot, Dairy Queen, UPS, Goodwill and Supervalu all have one thing in common - they’re retail franchises that have reported news of their breaches over the past few weeks. Here’s a little more detail about each:
This breach is reported to affect even more customers than the Target breach which resulted in the compromise of 40 million credit/debit card numbers and 70 million personal records. Banks are reporting the breach as originating back to late April or early May of this year, according to Forbes.com.
Additionally, by comparing the records of recent data dumps on the card sales website Rescator to the records linked to the Home Depot breach as provided by banks, KrebsonSecurity.com reports that nearly all of Home Depot’s stores have been affected across the nation. Which, considering the breach had a good four month run, isn’t surprising.
Home Depot's public breach message on their website doesn't provide much information, and it's clear they didn't have much of an incident response plan in place.
Again, banks are the first to report to KrebsonSecurity.com that there is fraud linked to customers of a certain chain - more than 50 customers found they were victims of fraud a few days after using credit/debit cards at Dairy Queen locations, suggesting that the breach dated back to early June of this year.
Victims report their cards being used at dollar and grocery stores, with the help of counterfeit copies. Some locations are going cash-only or adopting "low-risk methods of processing consumer credit and debit cards," according to a statement released by the company and reported in SCTimes.com. Otherwise, DQ has been very quiet about the details of the breach, with no sign of it on its website or even a press release, suggesting they haven't exactly been in the loop when it comes to breach protocol.
The disturbing part of this breach is that a company spokesperson pointed out that all of DQ’s stores are independently owned and operated - and that they had zero requirement that franchisees needed to notify the head company of a security breach.
This raises the question of how many franchises lack a centralized security policy, making it difficult to track when one store gets breached, and potentially making it easier for hackers to work their way through more than one franchisee location.
Comparatively, Goodwill has done a great job of being transparent and detailed when it comes to news about their data breach, which is said to affect an estimated 868,000 payment cards and 330 stores total, according to Forbes.com. The company was notified by “a payment card industry investigative unit and federal law enforcement authorities” that they suspected a data breach linked to their franchise.
Yesterday, they announced that 20 states (comprising 10 percent of all stores) were affected - the commonality being the same third-party vendor was impacted by malware. The attack spanned 7 months, from February to August, and they included a comprehensive list of affected Goodwill store locations for customers on their website, which also includes as much information as possible, and frequently updated (A+ for breach handling).
Similar to Dairy Queen’s admission about independent franchisees, Goodwill emphasized the fact that the company didn’t have a centralized payment system because it is a franchise.
Recently, UPS Stores reported a data breach that may have led to data theft at 51 of their franchisees. They found malware on the in-store cash register systems at locations found in 24 states, affecting roughly 1 percent of their franchises, according to the NYTimes.com Bits blog.
The malware was found in January and eliminated in August. UPS listed each location, including the date of breach and the date they ‘secured transactions’ on their website.
Again, UPS reports that the lack of standardization is a factor in their company structure:
Each UPS Store location is individually-owned and runs an independent private network. The malware was isolated to those locations.
A grocery chain store based in Minnesota was breached when hackers broke into their computer systems containing customer data from about 200 of their stores. The breach was only about a month long, from June to July, and the company was alerted to the compromise by a ‘government bulletin.’
Supervalu also provides technology services to other stores, widening the potential effect of this breach to over 1,000 stores nationwide, according to InfoSecurity-Magazine.com. A list of all affected locations can be found here (PDF).
Commonalities in Franchise Data Breaches
The common vein in all of these breaches is the inability to gain visibility into the state of security among independent stores within a franchise. A recent article from ITBusinessEdge.com theorizes on the “tricky relationship among franchises, parent companies and network security.”
While the parent company may not have control over the franchises, it is the overall brand that suffers. But I also wonder who controls the overall security for the franchise stores. It isn’t a coincidence that multiple stores under one brand are being targeted. If the parent company is the one supplying the security, shouldn’t a breach be known and/or reported? - Questions Surround Presumed Dairy Queen Data Breach
That’s the question - who is managing security for all of these franchises? While they may be independently owned, it’s the big corporate name that gets dragged through the mud when a small franchisee gets pwned by hackers that take advantage of the lack of security or a known vulnerability in the POS system of an individual chain store.
With that in mind, it might be prime time for retail franchise organizations to consider further centralization and standardization through each franchisee’s practices and POS systems to ensure they’re operating securely.
Visa recommends enforcing PCI DSS for franchises:
Franchisors and franchisees are bound by the terms and conditions of their franchise agreements. As agreements are often renewed between three and five years and are subject to change, during the renewal period franchisors have an opportunity to amend franchisee contracts to include data security policies.
By incorporating data security into the agreements, franchisors can incent franchisees to comply with the PCI DSS which reduces risk of data compromise and helps preserve the integrity of the franchise brand. - Payment System Security Best Practices For Franchises (PDF)
Other recommendations include using secure payment applications; enforcing network security; securing remote management applications (by way of changing vendor default settings, requiring VPNs to connect, etc.); and expanding franchisee communication and training.
PCI DSS requires proper security measures to protect from account takeover; whether it’s an employee VPN or third-party login to a franchise or franchisee’s network. Two-factor authentication is one way to stop unauthorized remote entry by requiring a physical device (smartphone) to verify your identity.
Find out more about retail breaches in:
U.S. Gov Recommends 2FA for POS Remote Access Security
POS Remote Access Software: Vulnerable Without 2FA
PCI DSS 3.0 and Two-Factor Authentication