American fast food restaurant chain Five Guys has announced a data breach in a recent letter to customers from COO Sam Chamberlain.
According to the letter, the security incident occurred in September 2022 and exposed sensitive customer data by an unauthorized party who accessed a file server.
Stolen data would include employee personally identifiable information (PII) such as names, social security numbers and driver's license numbers.
"This is yet another incident where attackers have managed to breach an organization's network, and the victims whose data was stolen were not informed until months later, offering attackers ample time to use that information to commit credit and identity fraud," said Julia O'Toole, CEO of MyCena Security Solutions.
Further, according to Casey Ellis, founder and CTO at Bugcrowd, what was breached was likely Five Guys' recruiting system, where candidates upload their resumes.
"Having these sorts of systems available to the internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it's also more available to a potential attacker," Ellis told Infosecurity.
"Common web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can enable this type of attacker outcome without the need for lateral movement."
John Bambenek, principal threat hunter at Netenrich, added that the most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs.
"I imagine there will be scams and mule recruitment lures sent to those people in the near future," Bambenek added. "Considering the industry, I can't see a viable attack path towards Five Guys itself unless some of those resumes represent 'back office' type staff."
In the letter, the company said it has arranged for affected customers to receive free credit monitoring and identity protection services through IDX as compensation.
"These identity protection services include one year of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services," the company wrote.
The data breach, though only disclosed now, took place weeks before KFC and McDonald's customers were targeted via phishing campaigns across Saudi Arabia, UAE and Singapore last October.