Five Guys Enterprises LLC, a chain of burger restaurants, has reported a data breach that led to the loss of personally identifiable information from job applications.
The information was provided in a form letter dated December 29 that was submitted to the Montana Department of Justice. The letter details a security incident that occurred on September 17 and involved unauthorized access to files on a file server.
According to Five Guys, it quickly activated its incident response plan, took actions to control the attack, and started an investigation after becoming aware of the illegal access. The business not only followed the regular response protocol but also notified law enforcement and hired a forensic cybersecurity company.
On December 8, a subsequent inquiry found that the information obtained was related to its hiring procedure. The data stolen, according to the template letter, only included applicants’ names before a field marked “Variable Text 1.” The field would presumably be filled out with additional data pertaining to the impacted job application.
Five Guys is providing free credit monitoring and identity protection services for a year in reaction to the data breach. These services include a $1 million insurance reimbursement policy and fully managed identity theft recovery services. The template letter also outlines other identity theft threats and ends with the phrase “if your health insurance was implicated,” which suggests that the amount of data stolen may have been considerable.
This is not the first time that hackers have attacked the fast food company. A court case from 2012 revealed that hackers had obtained the company’s debit card consumers’ account information.
As of the publication of this article, no hacking organization has publicly accepted responsibility for the data theft. Although the method of the attack is unknown, there are a few scenarios that could explain how the data was taken, including a failure to secure cloud storage.
The Information Security experts and Industry leaders commented on this breach below.
“Five Guys hasn’t disclosed how many people were affected by this breach, so it’s hard to gauge the scope of the attack. The employee database contained all the info cybercriminals need to steal identities, notably Social Security numbers. Given this breach took place nearly four months ago, the free credit monitoring and identity theft protection might be too little, too late for some employees.”
“I am always disappointed when we first learn of a data breach that occurred numerous months ago. Unfortunately, when this happens, it means that affected customers and employees are not warned about the breach until the bad guys have had the data long enough to use it to conduct social engineering attacks. This time between attacks and notification must be greatly reduced to allow victims of the breach to be aware of possible phishing schemes that may target them.”
“Five Guys has not publicly stated what information has been stolen in this breach, but if the data does contain any PII, it is wise for any victims to be vigilant for identity theft and fraudulent financials transactions on their credit reports.
Any organisation that holds personal data has a duty to keep it secure. These organisations must employ strict controls to monitor for threats, so they can be identified with speed and victims of breaches can be alerted quickly. Waiting three months after a breach has been identified to informing victims is a situation all organisations should strive to avoid.
When it comes building out cybersecurity resilience, this involves establishing a cyber hygiene baseline, using Zero Trust principles to limit the impact of breaches by protecting key accounts and preventing lateral movement, and training employees regularly on cybersecurity and the evolving threat landscape.”
“Data exposure is THE most serious cyber-risk facing any enterprise. Threat actors are going after data in a variety of ways. Either through Ransom by encrypting and stealing that data or taking it and selling it on the dark web. Either way, the brand impact, financial compensation and remediation costs can be so substantial that even the best earnings can be impacted.
“For most companies this is simply a matter of “when” not “if”. Traditional security approaches require 100% efficacy against 100% of the attacks 100% of the time on 100% of the users. Threat actors just need one of the “Five Guys” to fall prey one single time to gain access to the crown jewels of the organization, their data.”
The Five Guys CEO letter says the attackers gained access to a file server but no lateral movement is mentioned. This seems therefore like a smash-and-grab kind of situation. The common break-in approaches for attacks like these are via exploitation of vulnerabilities, phishing, malware, and stolen credentials. Motivation for data theft is almost always monetary. This incident appears to be data related to the employment process. That data typically contains PII that can be sold on the dark web, used for identity theft, or extortion.
The most common initial attack vectors are exploitation of vulnerabilities and stolen credentials. Organisations can combat these by having robust lifecycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly. Asset lifecycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorisation processes that includes MFA need to be employed.
Overall, there need to be better standards when it comes to flagging the issue and sending a customer notification letter. In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law. This requires the “Cybersecurity and Infrastructure Security Agency (CISA) to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
The CIRCIA is for critical infrastructure industries, like power, transportation, financial services, etc. and potential regulated communities. Reporting is currently voluntary. Some industries like financial services have additional reporting requirements, e.g., SEC, or OCC. Regulations have not reached all industries.
After the Five Guys attack, there is potential here for a ripple effect. Any victimised organisation could receive double extortion threats, i.e., ask for money to not leak or sell the data. Individuals whose information is contained in the breach could be victims of “triple extortion” whereby the attackers demand money from them to in turn not sell or use their data.
It is important for anyone impacted by this breach to take advantage of the credit monitoring being made available. Follow the steps suggested in the CEO letter for fraud alerts and credit or security freezes. Victims should monitor their bank accounts closely and have their transaction alerts activated.