Jan 09 – American fast food chain Five Guys has reported a data breach that compromised the personal details belonging to job applicants.
Five Guys initially discovered “unauthorized access to files on a file server” in mid-September, but the precise information that the documents contained was not confirmed until early December.
“This is yet another incident where attackers have managed to breach an organization’s network and the victims whose data was stolen were not informed until months later, offering attackers ample time to use that information to commit credit and identity fraud” says Julia O’Toole, CEO of MyCena Security Solutions.
The compromised information included applicants’ names, driver’s license numbers and social security numbers.
Further details were not released by Five Guys. Affected individuals have been offered free credit monitoring and identity protection services.
Common web coding flaws, like Indirect Object References (IDOR), authentication flaws, and even injection flaws can allow for this type of attacker outcome.
Reports suggest that a law firm specializing in data breaches has requested for individuals whose information my have been compromised in the Five Guys breach to file a potential case against the company.
The compromised data from this breach may be used for credit card theft, identity theft, and as part of phishing schemes and mule recruitment lures.
While only disclosed recently, this data breach took place weeks before customers affected by the KFC data breach started to receive targeted phishing emails across Saudi Arabia, the UAE and Singapore.