Black Basta Ransomware Has Extracted Over $100 Million From its Victims
Joint research by Elliptic and Corvus Insurance has identified at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group.
Franchisors and franchisees have an interesting interdependent relationship because while they are different companies, they share entangled domains of trust and risk.
Cyber liability poses some unique questions for franchise organizations. Often after a data breach, any well-known retail brand name might lick their wounds, learn a lesson or two, release the specifics around the compromised data, and move on.
An interesting wrinkle arises when you factor in the nature of the relationship between the franchisees and the central corporate entity. The franchisees, in most cases, are independent business owners who pay for the privilege of using the Corporate brand and supporting services. When a breach occurs, the affected owners could take a substantial hit to their wallets in the form of lost income, lost wages, spoiled food, and other costs, and might look to the corporate “mothership” to make them whole again.
These sorts of liability questions might lead the franchisees to take legal action that could significantly impact the potential financial payouts. This situation highlights the fact that franchise organizations have a unique set of challenges when it comes to cyber threats.
Franchisors and franchisees have an interesting interdependent relationship because while they are different companies, they share entangled domains of trust and risk. Each relies on the other to do its part to protect information and information systems, but many times the incentives aren’t aligned to position both for success. Some of the factors contributing to this poor alignment include
the following:
Naturally, attackers are aware of all this and it’s not uncommon for them to target individual franchise locations in order to pivot to others or gain access to the broader franchisor network. Alternatively, they may target third-party service providers in order to hit large numbers of franchises at scale. When this happens, complicated questions of liability arise.
Regulators are shifting the way they view the franchisor/franchisee organizational relationship, even though these are independent operations. When the consumer walks in the front door and swipes his credit card, he’s placing his trust in the logo on the outside of the building, not in the unseen entity whose name is on the local lease.
In 2015, Wyndham Hotels and Resorts settled a lawsuit launched by the U.S. Federal Trade Commission after a data breach at a single franchise hotel in Phoenix raised questions concerning Wyndham’s responsibility to protect consumer data across its 8,000 independent hotels around the globe. As part of its settlement, Wyndham agreed to launch a comprehensive information security program for franchisees, including conducting annual audits.
In 2018, an attack on Canada’s Tim Hortons added a new twist. Most often, when security breaches associated with a retail brand hit the news, it’s because of the impact on consumers. However, the Tim Hortons incident involves direct B2B liability with quantifiable financial damages. This case could set an important precedent and should put all franchisors on notice that keeping their franchisees at an arm’s length can lead them to ignore key risks they should be addressing — for instance, the fact that the franchise business model exposes a complex and extensive attack surface. It’s time for franchisors and franchisees to sit down together and ensure that all franchise defenses are up to the challenge of today’s most sophisticated, targeted threats. It’s also time the insurance industry step up with new products that address these new complicated risks for all parties.