Thu | Jan 5, 2023 | 3:38 PM PST

Popular hamburger chain Five Guys recently announced in a consumer notification letter that the company experienced a security incident possibly impacting personal information of employees and customers.

The letter says the company discovered the incident on September 17, 2022, which involved unauthorized access to some files on a server. Five Guys Enterprises immediately implemented its incident response plan and launched an investigation into the incident.

Since then, with the help of an unnamed cybersecurity firm, it has "determined that the files contained information submitted to us in connection with the employment process." This would mean the compromised data include things such as names, Social Security numbers, and driver's license numbers.

In the letter, which is signed by COO Sam Chamberlain, the company says that it does take incidents like these seriously and wants to do what it can to help those who might be affected. 

The letter says:

"We have arranged for you to receive credit monitoring and identity protection services through the company IDX at no cost to you. These identity protection services include one year of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully
managed identity theft recovery services. These services are completely free to you, and enrolling in this program will not hurt your credit score."

Does that seem like an appropriate response from the company?

John Bambenek, a principal threat hunter at Netenrich, discussed the incident and why threat actors may have targeted the burger chain:

"Fundamentally, in every industry, hiring is typically the most miserable process any manager goes through. What this means is that it's ripe for outsourcing and no one thinks about it again after the hiring is done. They probably took more time to realize there was PII in the breach because it wasn't THEIR PII and because no one gave any real thought as to the risk of the breach until after it happened. It's just human nature to think that way.

The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs. I imagine there will be scams and mule recruitment lures sent to those people in the near future. Considering the industry, I can't see a viable attack path towards Five Guys itself, unless some of those resumes represent 'back office' type staff."

Thankfully, we should all still be able to stop by Five Guys and enjoy a tasty burger and fries.

Follow SecureWorld News for more stories related to cybersecurity.

Comments