According to research from two ethical hackers called BobDaHacker and BobTheShoplifter, Restaurant Brands International (RBI) has security flaws that could enable a malicious actor to remotely eavesdrop on conversations/orders in the drive-through and access the personal information of employees. More details were included in a blog post that has since been taken down, as RBI — the parent company of Burger King, Tim Hortons, and Popeyes — threatened the researchers with legal action. 

In response to this, the researchers stated, “After reviewing the complaint, we have decided to take down the blog post in question to avoid any legal complications. While we believe our security research was conducted ethically and in the public interest, we have chosen to remove the content rather than engage in a legal dispute.” 

Below, security leaders weigh in on this security flaw. 

Security Leaders Weigh In

Boris Cipot, Senior Security Engineer at Black Duck:

This unfortunate case is the best possible example of what will happen when you neglect the basic cybersecurity principles. Things like hardcoded passwords and default credentials like 'admin' are serious vulnerabilities that should be caught in the earliest stages of development. Such mistakes should never see the light of a production system, especially a production system that is used across 30,000+ global outlets. The ethical hackers accessed internal configurations, employee accounts, and even raw drive-thru conversation shows- that there is a lot to improve both in application security and data governance.

RBI customers that use any of their digital services, be it mobile apps, loyalty programs, or online ordering, should consider changing their passwords and monitor their accounts for unusual activity. They should also look out for possible phishing attacks that may exploit the leaked internal data. Affected customers should also change their password in the case that the password they use for RBI digital services is also a password for any other digital service. For future reference, password reuse is a bad idea and in cases like this, can cause serious financial damage.

For RBI, the next steps of their cyber resilience path must include a full security audit, implementation of secure coding practices and a zero-trust architecture to further ensure uncompromised trust in software. 

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security:

The restaurant industry has progressively become a target for cyber-attacks. It is vital for these businesses to prioritize cybersecurity to protect both customer data and financial assets. Strong authentication practices, such as using unique passwords and implementing Multi-Factor Authentication (MFA), are essential — yet often overlooked. Despite not being the most exciting topics, these measures are vital since 68% of breaches involve the human element, including stolen credentials, phishing attacks, misuse or simple user errors.

Given the critical role employees play in defending against cyber threats, restaurants must implement regular training programs. Employees need to be educated to identify phishing and social engineering attacks, remain vigilant against suspicious emails, avoid risky attachments and refrain from visiting dubious websites. In addition to staff training, strong password practices  and the use of MFA are essential for enhancing security and mitigating cyber risks. As restaurants increasingly adopt digital solutions and interconnected systems, investing in comprehensive cybersecurity measures is no longer optional.

Kern Smith, Vice President of Global Solutions at Zimperium:

In today’s restaurant industry, mobile devices are vital for operations, however, their increased use exposes businesses to cybercriminal threats. To combat these risks, restaurants must prioritize mobile security. By leveraging advanced security measures that continuously monitor and adapt to evolving threats, restaurants can protect their operational integrity and ensure compliance with industry standards. A proactive approach to cybersecurity protects sensitive information and supports continued business success in an increasingly digital landscape.