The reliance of restaurant chains and retail stores on outside companies to handle credit-card processing and other information-technology functions is partly to blame for a rash of consumer data breaches over the last few years, according to data sleuths at Verizon Communications Inc.
Even a chain with thousands of restaurants might have only 100 employees in information technology, so it uses outside vendors for many IT functions, said Bryan Sartin, director of the investigative response team at Verizon Business.
"What happens is there's a lack of accountability on the third party," Sartin said.
Verizon's unit investigates a quarter to a third of the big, publicly announced data breaches that occur each year, and hundreds of smaller cases.
In recent years, restaurant and retail businesses have accounted for more than half of Verizon's 230 to 250 cases per year, according to a report Verizon issued Thursday. It often finds that insiders at service vendors are part of the heists.
Organized data-stealing gangs "go to the call centers, the Web development companies, the content development companies, the business partners, the people who pick up the backup tapes," Sartin said. "They say ... if you hate your boss and you're in financial straits, we're your solution. Give us access to your customers. Better yet, give us your data."
In a typical case Sartin was involved in, the team was approached by a large oil company in Canada, with thousands of gas stations. Customers were finding spurious charges on their credit cards after using them at the stations.
The team soon figured out that someone at a technology vendor was responsible, but couldn't pin it down. So the investigators set a trap in the system, to see who accessed customer data.
"The trap went off on Saturday morning," Sartin said. "Hackers always think nobody's looking on Saturday mornings."
A police car headed to the vendor's office, and the culprit turned out to be a 21-year-old who supported the software that operated the gas pumps. He had sold lists of customer data to organized crime.
Many breaches don't happen through outsourcing. In one of the largest cases in recent years, the gang that stole 41 million credit and debit card numbers from chains including TJX Cos. obtained access through unsecured wireless networks, not through subcontractors' systems.
Still, Verizon's report advises companies to keep a tighter rein on contractors, including by limiting partners' access to only the data they need.