A franchisee owned over 100 restaurants and shared files between locations using a server at their corporate office, which had an insecure VPN connection set up by their third-party IT company. This allowed a hacker to crack the weak password and access the file server connected to all restaurant POS systems, enabling the download of malware to steal customer payment card data from over 100 locations. The security risks could have been prevented by requiring two-factor authentication for remote access and unique, complex passwords for each restaurant's systems.