Malware hits Tim Hortons payment systems, shuts down dozens of restaurants
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Malware hits Tim Hortons payment systems, shuts down dozens of restaurants

The company said the malware hit less than 100 locations

Malware hit Tim Hortons, a popular Canadian-based restaurant chain that specializes in coffee and donuts, causing dozens of stores to close across Canada.

The attackers hit the Panasonic cash registers that the chain uses. Initially the company told the Globe and Mail that the virus hit fewer than 100 locations.

That may not be entirely accurate.

“A source close to the issue told HuffPost Canada that as many as 1,000 Tim Hortons locations may have been impacted, amounting to roughly a quarter of all Canadian locations. Some locations were forced to close, while others had to shut down their drive-throughs.”

There’s very little concrete information about the actual malware that affected Tim Hortons, though it does appear as if the malicious code was designed to target cash registers, which, in turn, made them unusable.

And now, the Great White North Franchisee Association (GWFNA) – a name that probably wouldn’t last very long in the US – is preparing to sue Restaurant Brands International. The GWFNA represents the franchise owners, while the RBI is the actual operator of Tim Hortons.

The GWFNA is looking to recover lost revenue and damages for the loss of confidence in the brand.

“The business interruption includes inability to use some or all of the … issued cash registers and [point of sale] terminals, causing partial and complete store closures, franchisees paying employees not to work, lost sales and product spoilage,” said the GWFNA in a statement from the law firm Himelfarb Proszanski.

The GWFNA called the incident a “failure” and also noted that this is the second hit to Tim Hortons’ reputation, following an ugly incident where a pair of franchises owned by the founder’s children looked to offset a minimum wage increase by cutting employees’ paid breaks and requiring them to pay a greater share towards their benefits.

RBI has stated that no financial information was lost in the breach.

However, there’s still a lot left to consider when it comes to this situation. Issue number one will be culpability. If, like in the Equifax breach, lax security is the issue then RBI and Tim Hortons may be in some trouble. One of the mitigating factors will be the fact that no sensitive data was compromised. However, if updates were missed and warnings were ignored, then this is going to be squarely on Tim Hortons’ shoulders.

As for the actual damages, it looks like the biggest hit will come to Tim Hortons’ reputation. However, that will likely blow over much as it has with other large brands that run into these kinds of issues.

Regardless, the chain is going to need to be proactive in hardening its cyber defenses from here on out, lest this happen again.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.