As a last hurrah before summer fades, hackers got a taste for ice cream and decided to attack the summertime staple Dairy Queen. We're only partially kidding.
In the winter, we saw hackers go after retail giants (like Target), hoping to capitalize on increased holiday sales traffic. So it stands to reason that hackers might have been looking to take advantage of DQ's busiest season.
When a breach like this happens, IT consultants have an opportunity to examine what occurred and see what they can learn from another company's mistakes. Because you can be sued for data breaches, it's vital to stay up-to-date on data security news. (If you're looking for a quote on insurance to cover client data breaches, check out our sample IT insurance quotes.)
Hot Eats, Cool Treats…Data Breach? How DQ Got Hacked
Brian Krebs – the security blogger who broke the story of the Target breach – first reported signs of an attack on Dairy Queen and offers some analysis on how the breach occurred.
In his Krebs on Security blog post, he points out that the Department of Homeland Security issued a warning about all point-of-sale systems that allow remote access logins. The agency saw a pattern of attacks with cyber criminals using malware specifically designed to exploit this weakness.
Cyber criminals can run searches that allow them to scour the Web for computers that have specific vulnerabilities. Hackers often use this trick to find servers vulnerable to SQL injections, and now they’re using it to find weak POS systems.
While the full details of this breach are still unknown, the attack fits the pattern of a POS strike. Tech journalists spotted signs of the breach as early as two weeks ago and the Secret Service has been investigating it, but Dairy Queen didn’t issue a public statement to its customers until last week.
How Lack of Coordination Hurt Dairy Queen
As specifics begin to emerge, one thing has stood out to IT experts: Dairy Queen had no requirements for franchise owners to notify the parent company about possible fraud cases. Forbes reports that the company's data breach plan – if it had one – wasn't a comprehensive one that included individual franchise owners.
Parent companies should ensure their franchisees have clear data security policies that outline…
- When to update security policies. New security risks should be evaluated regularly. Lax practices can lead to a data breach, and then it’s already too late.
- What franchisees need to know about data security. Franchise owners often don’t have the expertise to properly handle and investigate a data breach. By providing training, a parent company can protect the brand and provide guidance.
- How and when to notify consumers. Most states have statutes requiring companies to notify customers of a data breach. Franchisees need to know how to comply with state regulations.
Security experts will likely have more questions for DQ. For instance, why didn't the company respond to Homeland Security's warnings? Though these warnings weren't made specifically to DQ, any major retailer should have taken the time to scan its POS system to spot signs of malware.
In fact, that's just what UPS did and was able to successfully limit the damage caused by attacks on their payment systems. It was so small that you probably didn't even know there was an attack at UPS.
As an IT consultant, you have to be on the lookout for new threats, pay attention to new tactics (like scanning for POS vulnerabilities), and advise your clients accordingly.
How Do IT Contractors Cover Their Cyber Liability?
Now is a great time for IT consultants to invest in Errors and Omissions Insurance, which can pay for data breach lawsuits. Because data breaches can lead to expensive lawsuits filed against the IT professional that installed a POS system or network, it's crucial for tech companies to prepare for the worst-case scenario.
For free quotes on IT insurance, fill out an online insurance application.