The Hole in the Donut: Franchise Relationships Create Unique Cybersecurity Risks

Franchise Blog Image

In February 2018, the nation of Canada experienced an attack on a popular franchise chain that didn’t make the front page of most major newspapers. Treasured donut and coffee franchise, Tim Hortons, experienced a malware outbreak resulting in outages of point-of-sale (POS) systems, and temporary closures of hundreds of stores — it was the Donutpocalypse. It was also another in a long list of breaches involving some well-known franchise organizations.

Although customers of the popular Tim Hortons chain were clearly suffering, no loss of sensitive information has yet been reported. Often, after a denial-of-service (DoS) incident of this magnitude, many organizations will lick their wounds, learn a lesson or two, and move on. This incident, however, has an interesting wrinkle because of the nature of the relationship between the Tim Hortons franchisees and the central corporate entity.

The franchisees, in this case, are independent business owners, who pay for the privilege of using the Tim Hortons brand and supporting services. When this breach occurred, the affected owners took a substantial hit to their wallets in the form of lost income, lost wages, spoiled food and other costs, and they are looking to the corporate “mothership” to make them whole. To ensure this happens, the franchisees have threatened legal action. This means that while most DoS attacks result in soft losses related to productivity and cleanup, this one could involve significant financial payouts. This situation highlights the fact that franchise organizations have a unique set of challenges when it comes to cyberthreats, a subject addressed in the CrowdStrike Cyber Intrusion Services Casebook.

The Downside of Franchisor/Franchisee Interdependence

Franchisors and franchisees have an interesting interdependent relationship because while they are different companies, they share entangled domains of trust and risk. Each relies on the other to do its part to protect information and information systems, but many times the incentives aren’t aligned to position both for success. Some of the factors contributing to this poor alignment include the following:

  • The franchisee is often a small individual business that doesn’t have the resources to adequately defend itself when threats arise.
  • The franchisor typically avoids getting involved in the specifics of how a franchisee operates because the franchisee is an independent and separate organization and the franchisor isn’t structured for this level of micro-management. After all, the entire model behind a franchise-based enterprise is to allow the business to grow organically by taking advantage of the capital and sweat equity of each franchisee.
  • The franchisee operates a local network that depends on services provided by the franchisor. Sometimes the networks share technical access to each other, which can be exploited by attackers to move laterally across networks.
  • In many situations, franchisees will share a third-party resource for IT management.  Even though franchises are operated independently, shared administration creates a logical broad domain of trust that can be leveraged to launch attacks that hit all independent franchises simultaneously.

Naturally, attackers are aware of all this and it’s not uncommon for them to target individual franchise locations in order to pivot to others, or gain access to the broader franchisor network. Alternatively, they may target third-party service providers in order to hit large numbers of franchises at scale. When this happens, complicated questions of liability arise. What obligations do individual stores have to protect themselves and each other from cyberthreats? What role does the franchisor play? What’s the appropriate level of security when defending against sophisticated attackers and what penalties should be assessed when those defenses aren’t up to the task? When defenses fail, who is responsible for reporting the breach to consumers?

Regulators are Taking a New Approach

Regulators are shifting the way they view the franchisor/franchisee organizational relationship, even though these are independent operations. One regulator recently told me that when the consumer walks in the front door and swipes his credit card, he’s placing his trust in the logo on the outside of the building, not in the unseen entity whose name is on the local lease.

In 2015, Wyndham Hotels and Resorts settled a lawsuit launched by the U.S. Federal Trade Commission (FTC) after a data breach at a single franchise hotel in Phoenix raised questions concerning Wyndham’s responsibility to protect consumer data across its 8,000 independent hotels around the globe. As part of its settlement, Wyndham agreed to launch a comprehensive information security program for franchisees, including conducting annual audits.

The Tim Hortons Attack Adds a New Twist

Most often, when security breaches associated with a retail brand hit the news, it’s because of impact to consumers. However, this week’s Tim Hortons incident adds a new twist because it involves direct B2B liability with quantifiable financial damages. This case could set an important precedent and should put all franchisors on notice that keeping their franchisees at arm’s length can lead them to ignore key risks they should be addressing — for instance, the fact that the franchise business model exposes a complex and extensive attack surface. It’s time for franchisors and franchisees to sit down together over a cup of coffee and a box of honey crullers and ensure that all franchise defenses are up to the challenge of today’s most sophisticated, targeted threats.

How CrowdStrike Helps Franchise Organizations

CrowdStrike® partners every day with franchise organizations, helping them untangle the complexities of cybersecurity and ensuring the next-gen protection they need. CrowdStrike products and services can help your organization achieve the following:

Contact CrowdStrike to learn how CrowdStrike Falcon® Endpoint Protection (EPP) Complete™ simplifies security for franchise organizations.

 

Stop Breaches with CrowdStrike Falcon Request A Demo