Reading time: 5 minutes

As technology continues to evolve, so do the risks associated with protecting sensitive customer data. 

Recently, a popular restaurant chain experienced a devastating data breach that compromised the personal information of thousands of customers. This breach was not the result of a sophisticated cyber attack but rather caused by untrained staff mishandling customer data. This exemplary tale underscores the importance of proper cybersecurity training for all employees.

It all started when the General Manager asked his assistant to draw up a new loyalty program based on past orders from his customer database. The assistant began studying the database extensively and thought storing these sensitive data on his laptop was a good idea.

On this unencrypted Excel spreadsheet were listed: customer credit card numbers, names, surnames, addresses, phone numbers, email addresses, birth dates, order histories and many other information.

This sensitive customer data spreadsheet was kept exclusively on the manager’s company laptop and in the internal CRM software. While technically against the company’s policy, the assistant manager frequently brought the computer home to work in the evenings and on days when he could work remotely.

One busy Friday night, after a long shift, the exhausted manager accidentally left the computer in the backseat of an Uber on the way home. The manager only realised the precious item was missing the following day.

By then, it was too late.

When the restaurant manager left, the driver didn’t realise the laptop was in his car, so one of the following clients took it on the sly. Even if he asked for help from Uber Support for privacy reasons, the driver couldn’t give him the names of the following customers.

The unknown thief probably saw an opportunity to access the laptop and was willing to do so out of curiosity.

The unknown thief attempted to access the laptop but was initially unable to access it due to password protection. However, he sought assistance from a tech-savvy acquaintance who was eventually able to bypass the security measures. They were shocked to find a file named ‘Master Data Client’ on the desktop. Intrigued by the wealth of personal client information it contained, they saw an opportunity to make money from this unexpected windfall.

After making copies of the spreadsheet, the thief sold the laptop and data on the dark web. Unfortunately, this means the compromised customer information was now in the hands of cybercriminals worldwide.

While the manager certainly did not intend for this data breach to happen, bringing sensitive customer data home on an unencrypted laptop proved to be a costly mistake. Storing private information in an unsecured Excel spreadsheet that would be easy to access if the device was lost or stolen was an egregious security risk.

So even though the manager likely had good intentions to keep organised records and catch up on some work the following day, this misstep had severe, wide-ranging consequences once the laptop was taken and with all the customer data from the spreadsheet now available to hackers on the dark web, identity theft and credit card fraud quickly ensued.

It took a few days before the restaurant started receiving calls from customers reporting fraudulent charges on their accounts. Several victims had significant unauthorised charges made on their accounts. Many angry customers immediately used social media to express frustration and threaten lawsuits.

The fallout from this breach was extensive. The restaurant chain incurred significant costs related to legal fees, fines, and reimbursing customers for fraudulent charges. Beyond the financial impact, the brand’s reputation took a big hit. Customer loyalty diminished almost overnight. Many ex-advocates vowed never to dine at this establishment again or make an order online.

While the consequences in this case were severe, the breach could have been easily prevented with proper cybersecurity awareness training for staff. Employees at all levels need to understand best practices for handling sensitive data. Regular cybersecurity training ensures that standard operating procedures are being followed consistently by everyone in the organisation.

According to Verizon’s Data Breach Investigations Report, up to 74% of data breaches are caused by human error, with employee negligence being a major contributing factor.

Some easy-to-implement training topics that could have prevented this restaurant’s data breach include:

• Storing customer data securely in password-protected systems rather than unencrypted Excel files
• Avoiding writing down credit card numbers or other personal customer details on paper records
• Not removing laptops or devices with sensitive data off company premises
• Using secure remote access tools to connect to work devices when working off-site
• Enabling disk encryption on devices to render data unreadable if stolen
• Setting strong passwords and enabling multi-factor authentication
• Identifying and reporting phishing emails attempting to steal login credentials
• Recognising social engineering techniques that try to manipulate staff
• Following secure backup procedures to prevent loss of data in case of device theft or failure

Regular cybersecurity training provides employees at all levels with the knowledge needed to be the first line of defence in protecting your customer data. Rather than viewing security solely as an IT issue, everyone in your organisation must be involved and aware. Establishing a “culture of security” ensures that best practices are followed as second nature.

At Net Essence, we understand how vital ongoing cybersecurity training is for your entire staff. We offer customisable education programs tailored specifically to the hospitality industry and others.

Please reach out to us today for a consultation to discuss your training needs. We will partner with you to implement an awareness plan that makes security second nature for your employees.

When it comes to cybersecurity, there are no silly questions to ask.

We encourage you to contact us for a security assessment or to inquire about employee training. Managing security risks keeps your customer data protected and your reputation intact.

Don’t wait for a breach to happen before taking action.

Let our cybersecurity experts at Net Essence evaluate your current situation and partner on implementing training that empowers your staff with knowledge and best practices.

We can also discuss getting your organisation certified through CyberSmart for standards like Cyber Essentials. Together, we can ensure you avoid costly data breaches and keep customers feeling secure.