, ,

Cybersecurity incident disrupted Kwik Trip’s system. It’s not the only employer to face cyberattacks recently

La Crosse-based convenience chain doesn't believe payment information was compromised

By
kwik trip
Andrew Iverson (CC BY-NC-ND 2.0)

A cyberattack earlier this month knocked out Kwik Trip’s loyalty program and disrupted internal company systems, but the La Crosse-based convenience store chain said it doesn’t believe customer payment information was affected.

It’s the latest high-profile cybersecurity incident in Wisconsin, as school districts, local governments, health systems and other employers have also experienced digital attacks in recent years.

On Thursday, Kwik Trip said it experienced a “cybersecurity incident” on Oct. 9. The company says it detected the issue “within hours” and “immediately” began working with experts to address it.

Stay informed on the latest news

Sign up for WPR’s email newsletter.

This field is for validation purposes and should be left unchanged.

“The investigation into the nature and scope of this is ongoing and in its early stages,” said John McHugh, the company’s vice president of external relations. “Done correctly and thoroughly, these investigations take time to complete. To date, there is no indication that guest’s payment card information was involved.”

In a statement, he said the systems impacted were related to production facilities in La Crosse, internal communications systems and the chain’s loyalty program.

McHugh said most internal systems were functioning and the Kwik Rewards program was back online at many stores as of Thursday. He said all locations should be able to process loyalty transactions “within the next few days.”

Alex Holden, chief information security officer at Hold Security, said companies like Kwik Trip have a lot of personal information from their customers through loyalty programs. He said he suspects that information may have been one of the targets.

“A great amount of personal information that people put into the loyalty program is probably endangered and stolen,” Holden said. “That information can be used for more phishing, more abuse, identity theft and much, much more.”

Kwik Trip isn’t the only employer to experience a cyberattack in recent years, as they’ve been on the rise nationally. In 2018, the FBI’s Internet Crimes Complaint Center received 351,937 complaints of Internet scams that resulted in $2.7 billion in losses. Last year, it received 800,944 complaints resulting in $10.3 billion in losses.

A 2023 survey of over 400 Wisconsin manufacturing executives found that 22 percent had either been hacked or experienced a data breach of some kind. That’s up from 18 percent in 2022 and 16 percent in 2021.

Last year, a data breach at Elmbrook School District exposed current and former employees’ names and social security numbers. The state court system’s computer network was also attacked by hackers in March. A cyberattack caused Prevea Health’s communications systems going down for over a week in late August and early September.

Holden said the vast majority of cyberattacks are financially motivated, and attributed the national rise to more people having access to technology.

“More and more bad guys (are) monetizing their cyber capabilities, malicious capabilities, and they’re causing harm, and they’re making money,” he said. “(The) more money they make, the more incentive they have to repeat their crimes and effect more and more companies and individuals.”

Christine Sigrist, program manager for business analysis and technology at the University of Wisconsin-Milwaukee School of Continuing Education, said it’s important to train employees to detect potential threats, like phishing or spam emails.

“Employee Training is certainly essential and required, even if you’re a tiny company,” she said. “(But) you ought to plan that you won’t be 100 percent successful in preventing an attack because there’s just so many ways for that to happen.”

Sigrist said workplaces also need a response plan in place for after an attack happens. She said that requires information technology departments to create policies and procedures for ensuring online information is secure by monitoring for abnormalities.

“A lot of the courses and programs about becoming a cybersecurity analyst are about monitoring transactions and behaviors, and looking for activity that looks abnormal,” she said. “If all of a sudden you have a huge rise in people hitting your website, you could have just gotten really popular, or somebody could be trying to bring your system down.”