Chili’s, as you may have heard, announced that they are the latest data breach victim, disclosing that customer credit cards were accessed at a number of their stores in March and April. The breach, which the company says was “malware” related, calls to mind other, similar restaurant breaches, such as Zaxby’s and P.F. Chang’s, where the issue was a security gap in card readers. Notably, many Chili’s employ a tabletop card reader which, although convenient for the customer, creates a substantially higher risk of breach by increasing the number of points of sale.
A few interesting points. First, Chili’s states that they “do not collect Social Security numbers,” and so that kind of “personal information was not compromised.” But the verb in that sentence is “collect,” not “possess.” You have to wonder whether the company, in keeping with widespread practice, augments its data from third party sources, and what other data may potentially have been compromised.
Second, the timing here is worth noting. If the company discovered the breach in mid-April, then we are just about at the 30-day deadline that many states (now including Alabama!) impose for data breaches. You’re going to start seeing more of this: the 30 day lag between a breach and public notice.
Finally, you can bet that this breach is going to be of a piece with other, recent hacks, in that it does not capture the public attention (our glib headline notwithstanding). The public has, it seems, become inured to the risks of a data breach, which is a troubling phenomenon. Even as regulators become more aggressive in enforcing data security standards, public interest in the subject has waned (is anyone outside of privacy circles still obsessing over Cambridge Analytica?). The tension between those two facts — regulatory zeal and consumer apathy — is one that businesses will have to mind carefully.
Then again, if it were publicly revealed how many queso fundidos I ordered in the last ten years, I would be up in arms. It’s all a matter of perspective, I suppose.