Five Guys Enterprises LLC, a chain of burger restaurants, has reported a data breach that led to the loss of personally identifiable information from job applications.
The information was provided in a form letter dated December 29 that was submitted to the Montana Department of Justice. The letter details a security incident that occurred on September 17 and involved unauthorized access to files on a file server.
According to Five Guys, it quickly activated its incident response plan, took actions to control the attack, and started an investigation after becoming aware of the illegal access. The business not only followed the regular response protocol but also notified law enforcement and hired a forensic cybersecurity company.
On December 8, a subsequent inquiry found that the information obtained was related to its hiring procedure. The data stolen, according to the template letter, only included applicants’ names before a field marked “Variable Text 1.” The field would presumably be filled out with additional data pertaining to the impacted job application.
Five Guys is providing free credit monitoring and identity protection services for a year in reaction to the data breach. These services include a $1 million insurance reimbursement policy and fully managed identity theft recovery services. The template letter also outlines other identity theft threats and ends with the phrase “if your health insurance was implicated,” which suggests that the amount of data stolen may have been considerable.
This is not the first time that hackers have attacked the fast food company. A court case from 2012 revealed that hackers had obtained the company’s debit card consumers’ account information.
As of the publication of this article, no hacking organization has publicly accepted responsibility for the data theft. Although the method of the attack is unknown, there are a few scenarios that could explain how the data was taken, including a failure to secure cloud storage.
The Information Security experts and Industry leaders commented on this breach below.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.