Point-of-Sale Hack Costs Restaurant More than $50K

Paul Mah

The story of Keith Bond and the lesson learned when upgrading a computerized cash register system for his Louisiana restaurant reads like a typical horror story for SMBs. As reported by Computerworld, a new computerized cash register came with a remote-access feature for the maker of the system to provide remote support. Unfortunately, Romanian hackers were able to hack into the system.


Credit card numbers were then stolen and used to make fraudulent purchases around the country, leaving Bond with "tens of thousands of dollars in fines and charge-back fees" generated from the 699 stolen credit card numbers. Note that this comes on top of close to another $20,000 already spent to audit the system in the wake of the security breach.


For now, Bond is pursuing a class-action lawsuit against the maker of the point-of-sale systems and the local reseller for selling a system that does not comply with the Payment Card Industry Data Security Standard. What was probably more galling was an e-mailed statement in which a spokeswoman communicated the company's stand: "These customers were victims of criminal acts almost two years ago. Unfortunately, in today's world, criminal acts like these are not uncommon in the restaurant industry."


The obvious question here is whether this debacle came from sheer bad luck or something that was entirely preventable.


My opinion is that this sorry state of events need not have happened. For one, I would never have chosen a POS system configured for remote access. OK, perhaps this is not the most accurate statement to say. However, I would definitely have demanded more details of its workings, and also made certain demands before signing on the dotted line.


Some of these conditions I would have required are the following:

  • The system should not be configured for remote access to be remotely initiated.
  • The use of a dedicated channels for remote access, which preferably should be encrypted.
  • Contract to clearly specify the scope of responsibilities should the POS system be remotely compromised.
  • And, of course, some modicum of compliance with PCI DSS standards.


Still, is it right to blame Bond for what happened? He is, after all, an expert in operating a restaurant business, not an IT guru. That brings us to the crux of the issue: While there is no doubt that technology can be leveraged to enhance businesses, a poor understanding of it can lead to wrong choices -- with disastrous consequences.


Unfortunately, the truth is that many small and medium-size businesses simply do not have staffers knowledgeable in matters pertaining to IT. And not every SMB can afford to hire a consultant for every IT-related project or purchasing decision.


So while preventable, there is no simple solution or actions that small business owners can take to conclusively protect themselves from such incidents. One thing that SMBs can do, though, would be to continue keeping themselves up to date on technological issues that matter to them. As such, I would encourage readers to check back from time o time, or perhaps drop me a comment or e-mail if there are specific areas you would like to see covered or explained.


I look forward to hearing from you.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.