Now, some three years later, Penn Station President Craig Dunaway tells Information Security Media Group in an exclusive interview details about the breach, its impact, the lessons Penn Station learned, and steps this Cincinnati-based chain has taken to shore up its POS security.
"I think there is no substitution for putting your point-of-sale system on lockdown," Dunaway says. "We had a routing system that used to be used to get in and out of the system."
The POS system allowed franchisees to send and receive emails and share sales reports. But that posed risks that were unforeseen at the time, Dunaway says.
Verizon, the forensics firm that investigated Penn Station's breach, was never able to pinpoint exactly how malware infiltrated the network and infected the system, Dunaway says.
But after learning more about how cyberattacks against retailers were being waged, Dunaway says he didn't want to take any chances, and now Penn Station's POS network is only used for payments, and is not accessed by franchisees.
"We now work with a third-party organization for our point-of-sale security," he says. "They monitor our activity, and that's what they do for a living."
Penn Station, which has 300 locations in 15 states and approximately $170 million in annual revenue, is a regional chain that couldn't afford to manage enhanced POS security in-house, Dunaway says.
"We went to a third party because we didn't have the capability to do that 24/7," he explains. "I took some heat from the franchise community, because the point-of-sale system we use was designed to communicate in ways I'm not allowing anymore."
Today, however, after the highly publicized breaches that followed Penn Station's, such as Target and Home Depot, Dunaway says franchisees are thankful for the changes that have been made to shore up Penn Station's POS security.
"I wish I would have known how sophisticated and how ramped these attacks are," Dunaway says. "Looking back, I wish we had spent a lot more time educating our franchisees about the severity of all of this. ... Once they understood the ramifications, they changed what they were doing as well and how they viewed cybersecurity."
At the time of Penn Station's breach, Dunaway was forthcoming with the media, Penn Station's customers and Penn Station's franchisees about the incident (see Learning From a Breach Response).
"Early on with our attorneys, I had some really strong debates about what we would and would not share about the attack," he says. "But after 26 years in business, Penn Station had a really good reputation, and I wasn't going to let a criminal element take charge of that and ruin it."
During this interview, Dunaway also discusses:
- C-level accountability for breaches;
- Why educating smaller merchants about cybersecurity is an ongoing challenge; and
- Why constantly testing and revamping POS security is so critical.
Before joining Penn Station as president in August 1999 and becoming a member of the restaurant chain's board of directors in September 2001, Dunaway was a partner at McCauley, Nicolas & Company LLC, an accounting firm in Jeffersonville, Ind., where he began working in December 1992. Dunaway previously held an ownership interest in a Papa John's franchise. Today, in addition to being the president of Penn Station, he also holds ownership interests in Coastal Cheesesteaks LLC and Louisville Cheesesteaks LLC, both of which are Penn Station franchisees. He also serves as secretary and treasurer of Louisville Cheesesteaks.