The Five Guys burger empire has been hit with what seems to be a “smash-and-grab” operation: Cyberattackers busted right into a file server and made off with the personally identifiable info (PII) of people that utilized to work on the chain.
Details are scant, however in a type letter to the impacted despatched out on Dec. 29, Five Guys chief working officer Sam Chamberlain famous that an “unauthorized entry to information” was found on Sept. 17 and was blocked the identical day.
He added, “We carried out a cautious overview of these information and, on December 8, 2022, decided that the information contained info submitted to us in reference to the employment course of, together with your title and [variable data].”
What was that “variable knowledge,” one would possibly ask? Turke & Strauss LLP, a legislation agency that is investigating the matter on behalf of the victims, identifies the knowledge as together with Social Security numbers and drivers’ license knowledge.
Five Guys didn’t instantly reply to a request for verification or remark from Dark Reading.
Five Guys employs about 5,000 folks worldwide, in accordance to Forbes, and presumably the turnover and variety of functions for open positions is just like different food-service jobs. But whereas that implies that numerous folks may probably be affected by the breach, the corporate has to date left it unclear how many individuals have been truly caught up within the incident.
Five Guys additionally hasn’t introduced what, if any, shoring up of safety it plans to do within the wake of the incident, solely noting that it engaged legislation enforcement and a cybersecurity agency, and that it will present credit score monitoring. Brad Hong, buyer success supervisor at Horizon3ai, notes that enhancements to protection needs to be an essential a part of the incident response.
“An unlucky precedent has been set [by the infamous Equifax breach] to easily present credit score monitoring, shifting the onus of motion again to the buyer as a substitute of the group saying the technological steps taken to forestall breaches sooner or later,” he says.
A Whole Menu of Follow-on Attacks
Researchers notice that the unfolding state of affairs may show troublesome for each the person victims and the burger purveyor itself. This is not Five Guys’ first time being flamed on the cybercrime grill, as BullWall govt vice chairman Steve Hahn notes — and a previous incident illustrates simply what could possibly be at stake for each.
“In a previous breach of Five Guys, the risk actor used the stolen knowledge to make fraudulent prices on financial institution debit and bank cards, and one such financial institution, Trustco, was hit with $100,000 in fraudulent prices from prospects of theirs which have been a part of this knowledge breach,” he tells Dark Reading. “If the unhealthy guys bought that a lot out of Trustco, think about how a lot they’ve bilked from Chase or Bank of America.”
As for the influence to the corporate, Trustco went on to file a lawsuit towards Five Guys in New York for damages associated to issuing new playing cards and reimbursing victims for fraudulent prices.
In this more moderen case, John Bambenek, principal risk hunter at Netenrich, notes that there are any variety of follow-on assaults that risk actors may mount utilizing the info, even when it does not embrace payment-card info.
“The most instant use of this knowledge is to understand there are a handful of individuals on the decrease finish of the financial scale who’re on the lookout for jobs,” he says. “I think about there shall be scams and mule recruitment lures despatched to these folks within the close to future.”
Hahn in the meantime mentions that the craftier cybercriminal varieties will usually additionally attempt to reap the benefits of the concern and response out there when such an incident is publicized, within the type of ultra-believable phishing efforts.
“Victims might get an electronic mail: ‘We apologize however as you will have heard your knowledge was a part of our knowledge breach,'” he explains. “‘Please click on right here to reset your password.’ These emails can look similar to emails from Five Guys they usually may even spoof the Five Guys area. Once the consumer places of their credentials, they risk actor now has entry to all the opposite websites they use that password on, like PayPal, Amazon, or Venmo.”
Jim Morris, chief safety adviser at Tanium, additionally tells Dark Reading that the potential for a cybercrime ripple impact may additionally embrace extortion, affecting candidates and organizations alike.
“Any victimized group may obtain double extortion threats — i.e., ask for cash to not leak or promote the info,” he says. “Individuals whose info is contained within the breach could possibly be victims of triple extortion, whereby the attackers demand cash from them to in flip not promote or use their knowledge.”
A Smash (& Grab) Burger of Data Theft
Since the info breach discover signifies that the unhealthy guys accessed a single file server, with no lateral motion, that is probably a case of financially motivated attackers on the lookout for low-hanging fruit, researchers say — and discovering it.
Restaurants and food-service shops have a novel set of economic challenges (like razor-thin margins) that may usually result in them deprioritizing safety, whilst they accumulate reams of information by way of on-line ordering, reservations techniques, HR techniques, and extra, on an order of magnitude that far outstrips different sectors, says Andrew Barratt, vice chairman at Coalfire.
“The problem is actual — we have now adaptive risk actors who will chase down any level of entry versus defenders with restricted budgets and an entire raft of macro-economic stresses to focus in on too,” he says. “Really, we have to preserve visibility of those type of compromises excessive in order that executives do not low cost them as ‘gained’t occur to me.'”
Others are much less charitable. Horizon3ai’s Hong provides, “Unless the assault vector on this incident was a novel one, all indicators level to this incident being one other instance of an organization that selected returns over safety. With Five Guys pulling in near $2 billion in income, I’d have an interest to see what their cybersecurity spend was.”
Meanwhile, Web-facing techniques may exacerbate the danger, Casey Ellis, founder and CTO at Bugcrowd, says.
“This sounds lots like a recruiting system the place candidates add their resumes,” he tells Dark Reading. “Having these types of techniques accessible to the Internet is smart when you think about the recruiting and job software course of, but when one thing is extra accessible to a public consumer, it is also extra accessible to a possible attacker.”
He provides, “Common Web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can allow the sort of attacker consequence with out the necessity for lateral motion.”
Indeed, Tanium’s Morris notes that the most typical break-in approaches by risk actors on the lookout for simple pickings are typically the exploitation of identified vulnerabilities, and phishing and stolen credentials. As such, there are easy steps that would make bottom-feeding knowledge thieves merely transfer on to a neater goal.
“Organizations can fight these assaults by having sturdy life-cycle administration of all pc {hardware} and software program. This requires figuring out essential belongings and knowledge and defending them accordingly,” he says. “Asset life-cycle administration should additionally embrace sustainable and environment friendly vulnerability and patching applications. Additionally, robust authentication and authorization processes that features multifactor authentication should be employed.”