Chick-fil-A customers have a bone to pick over data breach. Stay informed about the breach and safeguard your data. Chick-fil-A has been hit by a cyberattack stealing customer information. The fast food chain says the attack lasted for more than two months.
The company says attackers gained access to email addresses, membership and mobile pay numbers, QR codes, masked credit/debit card numbers and the amount of money saved on Chick-fil-A One accounts. Some accounts also had identifying information like birthdays, phone numbers and addresses.
What Information Was Exposed?
Earlier this year, Chick-fil-A revealed that hackers had accessed the company’s mobile app and stole information from its customers. In a letter to affected app users, the restaurant chain confirmed that “unauthorized parties” launched an attack on the website and app using account credentials that were obtained from a third-party source. This allowed them to access personal data including names, email addresses, Chick-fil-A One membership and mobile pay numbers, QR codes and masked credit or debit card numbers (if saved to accounts).
The breach took place between Dec. 18 and Feb. 12 this year, and Chick-fil-A says it only affected less than 2% of its members. The company said in its statement that once it discovered the breach, it required users to reset their passwords, removed stored credit/debit card payment methods and temporarily froze funds on Chick-fil-A One accounts. It also offered to refund mobile accounts that had money credited to them as a result of the hack.
According to cybersecurity journalist Brian Krebs, the breach was likely the result of a hack called credential stuffing. During this type of attack, stolen logins are used to log into other services and steal data. Krebs believes Chick-fil-A was a victim of this because the hacker was able to get into the mobile app using a username and password that were obtained by buying them from the dark web. This is similar to how the Equifax breach happened last year.
How It Happened
Chick-fil-A says it noticed suspicious login activity on its app and began an investigation. They determined that unauthorized parties launched an automated attack on their website and mobile app using account credentials, which were obtained from a third-party source. The cyberattack took place between Dec. 18, 2022 and Feb. 12, 2023 and hackers stole information like name, email address, Chick-fil-A One membership number, mobile payment numbers and QR codes, masked credit or debit card numbers and money saved on accounts. They also grabbed identifying information like birthdays and phone numbers for some customers.
After the breach was confirmed in January, Chick-fil-A set up a website and support page with helpful tips for impacted customers. They noted that less than 2% of the members of their Chick-fil-A One loyalty program were affected by this attack. The company said the breach occurred because of a credential stuffing attack. According to Bleeping Computer, this is a tactic in which stolen account logins are used to try and gain access to other services by entering them into password fields. They can then be used to make fraudulent purchases.
It is believed that the hack was a result of malware that was installed in third-party point-of-sale systems, similar to what happened at Dairy Queen. The restaurant chain said that they were working with their POS vendors to identify what was compromised.
In the wake of this breach, Chick-fil-A has reset passwords, removed credit and debit cards from impacted accounts, froze funds that were loaded onto mobile accounts and added rewards to those impacted. They strongly encourage impacted customers to change their passwords at all sites they use and to consider using a password manager like Bitwarden to help keep track of them.
What You Can Do Now
Chick-fil-A customers should look out for a letter sent to them about a data breach in the chain’s mobile app. The restaurant says that unauthorized parties were able to access member names, email addresses, Chick-fil-A One account passwords, phone numbers, and the last four digits of credit or debit card numbers on their accounts.
In a statement, Chick-fil-A says it noticed unusual login activity on some accounts and began investigating. It determined that a cyberattack was launched on the app between Dec. 2022 and Feb. of this year.
It also says that it took action to protect its customers and notified law enforcement. This included requiring the reset of passwords, removing saved credit and debit card payment methods from the Chick-fil-A One app, and temporarily freezing funds on some accounts.
The company has also offered to provide help for victims, such as restoring accounts and offering free credit monitoring. However, experts advise that consumers take these offers with a grain of salt, as they aren’t necessarily a guarantee against identity theft or financial harm. Plus, some attorneys warn that accepting companies’ help could limit your ability to join class-action lawsuits against them in the future. You can guard against identity theft by contacting your credit card companies to set up fraud alerts and freeze your account. You should also consider limiting the number of online accounts you have and deleting those you no longer use.
What You Can Do Next
A bogus Chick-fil-A coupon is circulating on social media. It asks people to share a link in order to redeem 2 free adult meals at the restaurant. WJBF’s Shawn Cabbagestalk contacted Chick-fil-A representatives, who say the offer is fake.
The Atlanta-based restaurant chain recently notified members of its Chick-fil-A One loyalty program that they may have been impacted by a data breach. According to the company, hackers gained access to member accounts by stealing account credentials in a credential stuffing attack. This allowed them to view customer information including name, birthday, email address, Chick-fil-A One membership and mobile pay number, QR code, masked credit or debit card number and the amount of Chick-fil-A One credit on their account (if any).
In addition to the notification letter, Chick-fil-A has taken other steps to protect its customers, such as forcing users to reset passwords, removing saved payment methods from accounts, resetting the mobile app password and temporarily freezing funds on impacted accounts. Chick-fil-A is also working with a national forensics firm to investigate the incident and take further steps as needed.
In the meantime, impacted customers should be on the lookout for phishing emails requesting personal information or credit card numbers. They should also consider changing their passwords on other sites where they have the same login info and using a password manager, like Bitwarden, to keep track of them all. As the company’s statement points out, 65% of data breaches result in identity theft, so taking these precautions is important.
