Lessons Learned from the Chick-fil-A Mobile App Data Breach

In March, Chick-fil-A announced that a forensic investigation found that a cybersecurity breach compromised its mobile app. More than 71,000 mobile app users were affected, resulting in the exposure of personally identifiable and sensitive data that included names, email addresses, phone numbers, and banking information.

With an increasing number of restaurants relying on mobile apps for orders, payments, customer rewards, promotions, and menu updates, mobile apps have become a vital aspect of the industry. In fact, Lavu finds that mobile represents 60 percent of all digital restaurant orders. Additionally, a HungerRush survey found some 79 percent of consumers expect to use technology to place orders at casual restaurants. 

Despite the value of quick-service restaurant (QSR) mobile apps, many lack adequate security and privacy measures needed to safeguard user data. As more QSRs build and update mobile apps to support their customers, business leaders must recognize the risk of mobile app security and privacy violations. Restaurants and other consumer businesses should take extra steps to secure their mobile apps to grow sales, retain customer trust and maintain a positive image. 

Consequences of Mobile App Security and Privacy Issues 

Over the last decade, many popular restaurants have experienced the impact of mobile app security and privacy issues:

  • Canadian coffee company Tim Hortons experienced issues when government authorities discovered the company secretly tracked users without their consent. 
  • A security issue within the McDonald's mobile app allowed hackers to steal email addresses, phone numbers and delivery addresses for customers within South Korea and Taiwan. 
  • Dunkin' Donuts faced scrutiny for twice failing to notify customers about a mobile app security issue that allowed unauthorized individuals to access their accounts.

These examples demonstrate that even reputable mobile apps from established QSR brands can carry significant privacy and security risks. A single incident can damage the revenue and brand reputation of a business, highlighting the importance of QSRs taking full precautions to ensure the security and privacy of their mobile apps.

Benchmark Data Highlights QSR Mobile App Risks

NowSecure recently evaluated more than 450 Android and iOS retail mobile apps (which includes QSRs) using the NowSecure Platform automated mobile application security testing engine. The engine runs more than 600 automated tests based on proven industry standards to find security and privacy issues that impact mobile users and mobile businesses. 

According to the data, 100 percent of the sampled retail mobile apps had security risks and 64 percent had privacy risks. Some of the most common security risks uncovered include insecure network communication, insecure data storage and the ability for attackers to take over the mobile app. Privacy risks included app configurations that expose personal data and insufficient protection of sensitive data and personal data leakage over the network.

The Blueprint for Secure QSR Mobile Apps

We can expect the food service industry to expand its digital presence — 35 percent of customers say they would be encouraged to spend more on food in restaurants with mobile apps. With that said, QSRs that develop mobile apps should consider the following best practices to minimize security and privacy risks. 

Conduct Regular Penetration TestingPen testing allows expert security analysts to produce a comprehensive report outlining the security and privacy issues found in the app, including their severity level, likelihood of exploitation, and impact on the business. Restaurants with mobile apps should run tests for each new release or major update to safeguard against potential breaches and shield sensitive customer data. 

Automated Security Testing for Continuous Protection – Pen testing can be highly beneficial for confirming the security of a mobile app, but it can also take up to two weeks to complete. QSRs with mobile apps should adopt a proactive approach to security by using continuous automated security testing as the mobile apps are built and updated. Mobile app development teams can remediate issues as they arise, ultimately speeding up releases with quality and security built in.

Automatically Monitor for Regulatory Compliance– QSRs with mobile apps must be diligent about complying with regulatory requirements such as PCI, California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR). Using an automated policy engine helps QSRs ensure their mobile apps maintain compliance with industry-appropriate standards to avoid potential regulatory penalties.

Encourage Mobile-Specific Dev Training: QSRs rely on talented developers to create their mobile apps. But with the mobile threat landscape constantly evolving, development teams should regularly sharpen their secure coding skills to avoid common, mobile-specific mistakes. Encourage developers to enroll in  mobile app training courses to ensure they build mobile apps with security and privacy in mind.

The Chick-fil-A data breach acts as yet another reminder of the evolving mobile threat landscape, putting customer data, brand and revenue at risk. By leveraging security automation, standards, training and testing, QSRs can ensure they are taking the right  precautions to safeguard their mobile apps from security and privacy risks, in order to maintain customer confidence and business success.