How to prevent the 5 common data security threats restaurants face

Restaurant owner working on laptop

In a world where data is everything, restaurants are at the forefront of using data more effectively to enable personalised guest experiences. Essentially, the answers are all in the data. Yet, when data gets in the hands of the wrong people, it can have a devastating impact on a restaurant’s business and reputation.

Restaurants face various security and fraud challenges, from common and widespread phishing scams to disgruntled staff having access to diner data and even third-party data breaches. Importantly, restaurants are responsible for the data they hold and any administrative penalties and damages associated with mishandling data as well as any reporting obligations to diners and authorities.

Let’s dive deep into five common data threats the restaurant industry faces and the specific fraud prevention tactics that can help protect your business from each one.

1. Social engineering and phishing scams

Phishing is the most common scam restaurants face today. It involves social engineering by attempting to build trust or a sense of urgency and forcing you into taking some intended action. For instance, a fraudster calls or emails a restaurant posing as an employee of a trusted vendor or service provider. They ask for the login credentials or force you to undergo a password reset to gain access to the account. Once in, they access guest data or other valuable information and use that to further exploit the system.

These fraudsters appear as if they’re a known entity, such as a vendor or health inspector. Phishing scams via email can usually be identified with one of the following: poor grammar and spelling, urgent language, threats of legal action or negative consequences, random characters in the sender’s email address, and/or links from unknown senders.

OpenTable take: When OpenTable reaches out to your restaurant, we will never ask you to disclose any of your login credentials, or guest or personal data. If someone asks you to change your password or provides you with a temporary password, this is considered suspicious activity. Please make sure your team knows this.

You should also consider enabling two-factor authentication (also known as 2FA), which requires a one-time-use code in addition to your login credentials to gain access to your OpenTable for Restaurants account. This makes it harder for potential malefactors to gain access.

2. Credit card fraud

Credit card fraud can often go undetected. For instance, when a guest provides their credit card details to restaurant staff over the phone to hold a reservation or complete a takeaway order, often the quickest and easiest way to record the credit card information is writing it on a piece of paper. Yet this information is extremely sensitive and shouldn’t be recorded anywhere physical that could be found by someone else. Similarly, train your staff never to repeat credit card information out loud, where anyone who can hear them can note down the information.

OpenTable take: Because of the rise of credit card fraud, there are many systems that enable guests to enter their credit card details directly. When guests make a reservation over the phone, restaurants on OpenTable can request their credit card information through a secure SMS link. Guests enter their details directly on a secure web page, mitigating the data risk and responsibility, so their staff doesn’t have to handle sensitive information.

When guests make a reservation or complete a takeaway order through OpenTable, they enter their credit card details into the secure, PCI-compliant system. Once guests enter their credit card details, the information is masked and vaulted to keep guest information secure and confidential. And even if an unaware, well-meaning host attempts to enter credit card information into text fields like guest notes, OpenTable immediately removes the recognised credit card number.

3. Insider threats

With staff turnover at an all-time high for the industry, you must recognise that sometimes fraudsters come from the inside. A disgruntled employee, who may have left the restaurant, might change reservations, the restaurant’s availability, or modify the restaurant’s profile information. Or a phishing actor might target the right person who is unhappy with their job and open up the business to fraud.

Regular auditing can ensure that 1) only active employees have access to their accounts, and 2) each employee has the correct access level. When an employee leaves, immediately offboard them from their user access.

OpenTable take: The best way to mitigate employee fraud is proper account provisioning. Each employee has a unique OpenTable account, and you can customise specific access controls to ensure they only have the level of access necessary for their job. For example, the host doesn’t need access to revenue metrics or the ability to launch a marketing campaign. Single sign-on and two-factor authentication also keep accounts more secure. When staff are setting up their accounts, it’s a good idea to encourage them to use strong, unique passwords.

To help mitigate all types of fraud, the OpenTable iPad app has passcode protections, so no one besides your authorised staff can take critical actions during service, including blocking your availability or overbooking the restaurant.

4. Third-party vendor fraud

Vendors have different levels of security and fraud detection in place. Properly evaluating third-party vendors is vital to ensure data is being stored in a secure, responsible way. When talking to vendors, consider asking them, “Can the restaurant delete data and what is the vendor’s retention policy?” and “Does the provider have a data security incident response plan?” Lo and behold, if the vendor doesn’t secure their data, this can open you up to fraud.

OpenTable take: We take care to vet third-party vendors to ensure they practice safe computing and we require all vendors to abide by applicable laws and regulations as well as adhere to industry standards related to data privacy and security.
We don’t share or sell identifiable data without the restaurant’s permission unless needed for the provision of the services.

5. Misuse of guest data

Guest information is sensitive and must be treated in a secure manner to keep it out of the hands of scammers. For instance, if a phishing actor gained account access, they could export guest data, if certain checks weren’t in place.

If you download guest and reservation information, store it in a secure manner. When guest data is on OpenTable servers, we handle it securely and with care. When you export it, it’s up to you to do the same (and we’ll provide you with information and guidance to handle it with care).

A good rule of thumb is to treat guest data as you would want your sensitive data to be treated: respect how guests want it shared, keep it secure, keep it only if you need it, and use it only as intended.

OpenTable take: If you need to export guest data from OpenTable such as contact details or reservation history, it is sent to the main user on the restaurant account. Access controls determine which logged in users can even request a guest data report. This helps prevent fraudsters from gaining access to guest information. Make sure your credentials for OpenTable and your email are different in case a scammer gains access to one set of login details.

These are just a few of the most common data threats restaurants may face. In general, use good judgment and confirm the identity of any suspicious contacts. Talk to your staff and educate them on best practices when dealing with guest or restaurant data and potential risks.