Chili's Speed Question: To Notify or Not to Notify Quickly?Restaurant Chain Reports Breach But Has Yet to Confirm Details
To notify quickly or not to notify quickly?
See Also: Threat Horizons Report
With apologies to the Dane, that appears to have been the question facing Chili's Grill & Bar, which says it confirmed on Friday that some of its corporate-owned locations had suffered a data breach resulting of some customers' credit and debit card data, as well as cardholder names, being exposed.
"Generally speaking, in order to move fast you must move carefully and not make missteps."
The company has blamed point-of-sale malware and says it does not yet know which locations were affected or how many payment cards were exposed.
"Currently, we believe the data incident was limited to between March - April 2018; however, we continue to assess the scope of the incident," to company said in a brief Saturday statement announcing the breach.
On May 11 we learned that some of our Guests' payment card information from certain restaurants was compromised. We value our relationship with our Guests and are committed to sharing details as we know more here: https://t.co/xWnJ1a7Auy— Chili's Grill & Bar (@Chilis) May 12, 2018
Chili's is owned by Dallas-based Brinker International, a publicly traded multinational corporation that also owns Maggiano's Little Italy. The company says it owns, operates or franchises more than 1,600 Chili's and Little Italy restaurants in 31 countries. I've asked the firm for a breakdown of how many corporate-owned Chili's restaurants are in the United States and have not yet received a reply.
On Saturday, Brinker filed a form 8-K with the U.S. Securities and Exchange Commission about the data breach.
"Upon learning of this incident, we immediately activated our response plan," the company says in the filing. "We are working with third-party forensic experts to conduct a thorough investigation to determine the details of what happened. Law enforcement has been notified of this incident and we will continue to fully cooperate."
The company says in its statement: "We deeply value our relationships with our guests and sincerely apologize to those who may have been affected."
Brinker has set up a dedicated Chili's data breach notification site.
The company is the latest in a long line of restaurants - as well as retailers and hotels - that have suffered payment card breaches. Information security experts say the problem is compounded by the ease of procuring on the cybecrime underground the card-scraping malware used to infect POS systems, as well as generally poor security at many hospitality and retail sector organizations (see 166 Applebee's Restaurants Hit With Payment Card Malware).
Chili's Alert Timeline
The company's rapid breach notification - apparently, less than 24 hours after it confirmed the breach - raises this question: Should it have waited longer to notify customers?
"It is comforting to see Chili's have a fast-acting response plan in place that coordinated the SEC disclosure notice, public notice and response," Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, tells me.
"Dates can be misleading, though, as Chili's may have concluded" - legally speaking - that "it was a breach on May 11 and had everything ready to go," Pierson says. "But it may have been working the breach and forensics for a week or two. That is most likely the scenario for how the data breach response plan went into action."
Brinker didn't immediately respond to my request for comment on the timing behind its breach notification.
"The other possibility could be that a breach was so blatantly obvious and the exfiltration of data so easy to see that the decision to notify was quicker that usual," Pierson says, adding that this scenario "is less likely."
Don't Delay, Don't Rush
From a public relations standpoint, always notifying customers as quickly as possible might seem to be a good move. Certainly, waiting for more than a year - as Uber did - is a no-no (see Did Uber Break Breach Notification Minimum-Speed Limits?).
But many data breach response experts have told me that it's better for a breached organization to aim to notify victims within 30 to 60 days, unless regulations require that they do so sooner (see Data Breach Notifications: What's Optimal Timing?).
The reason for waiting is simple: Don't just tell customers that something went wrong; tell them how they can fix it.
Waiting also helps organizations ensure that they have their story - and response - straight.
"Generally speaking, in order to move fast you must move carefully and not make missteps," Pierson says. "We all saw what happened from last summer when you have an uncoordinated response plan, uniformed board and poor governance," he says, referring to Equifax.
The Drip-Feeding Problem
Waiting can help avoid the drip-feeding problem. So often, breach investigators keep revising upward their estimate of the number of victims or quantity of data that were exposed (see Equifax: US Breach Victim Tally Stands at 146.6 Million).
Waiting until there's more information also helps an organization avoid the appearance that it's attempting to cover up any details.
"Is there any valid reason as to why in the hell you would not provide info on exactly which restaurants were affected??" one Twitter user asked Chili's. "How the hell does that help consumers???"
Is there any valid reason as to why in the hell you would not provide info on exactly which restaurants were affected?? How the hell does that help consumers???— Jennifer Smith (@jynthea_twitch) May 13, 2018
Of course, there can be caveats to the breach notification calculus: If users' passwords were stolen, then an immediate, forced password reset and alert might be the best option, so users can change their password and avoid account compromises.
But in the case of payment card breaches, many have been spotted by card processors, which have traced fraud and fraud reports back to a specific business, flagged anyone who used a payment card at the business during the suspected breach window and begun keeping a close eye on how their card gets used.
"My information was actually stolen and used for like $1,700 in purchases," one Twitter user replied to Smith's tweet.