The Five Guys burger empire has been hit with what appears to be a "smash-and-grab" operation: Cyberattackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain.
Details are scant, but in a form letter to the impacted sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an "unauthorized access to files" was discovered on Sept. 17 and was blocked the same day.
He added, "We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and [variable data]."
What was that "variable data," one might ask? Turke & Strauss LLP, a law firm that's investigating the matter on behalf of the victims, identifies the information as including Social Security numbers and drivers' license data.
Five Guys did not immediately respond to a request for verification or comment from Dark Reading.
Five Guys employs about 5,000 people worldwide, according to Forbes, and presumably the turnover and number of applications for open positions is similar to other food-service jobs. But while that means that a large number of people could potentially be affected by the breach, the company has so far left it unclear how many people were actually caught up in the incident.
Five Guys also hasn't announced what, if any, shoring up of security it plans to do in the wake of the incident, only noting that it engaged law enforcement and a cybersecurity firm, and that it would provide credit monitoring. Brad Hong, customer success manager at Horizon3ai, notes that improvements to defense should be an important part of the incident response.
"An unfortunate precedent has been set [by the infamous Equifax breach] to simply provide credit monitoring, shifting the onus of action back to the consumer instead of the organization announcing the technological steps taken to prevent breaches in the future," he says.
A Whole Menu of Follow-on Attacks
Researchers note that the unfolding situation could prove difficult for both the individual victims and the burger purveyor itself. This isn't Five Guys' first time being flamed on the cybercrime grill, as BullWall executive vice president Steve Hahn notes — and a prior incident illustrates just what could be at stake for both.
"In a past breach of Five Guys, the threat actor used the stolen data to make fraudulent charges on bank debit and credit cards, and one such bank, Trustco, was hit with $100,000 in fraudulent charges from customers of theirs that have been part of this data breach," he tells Dark Reading. "If the bad guys got that much out of Trustco, imagine how much they've bilked from Chase or Bank of America.”
As for the impact to the company, Trustco went on to file a lawsuit against Five Guys in New York for damages related to issuing new cards and reimbursing victims for fraudulent charges.
In this more recent case, John Bambenek, principal threat hunter at Netenrich, notes that there are any number of follow-on attacks that threat actors could mount using the data, even if it doesn't include payment-card information.
"The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs," he says. "I imagine there will be scams and mule recruitment lures sent to those people in the near future."
Hahn meanwhile mentions that the craftier cybercriminal types will often also try to take advantage of the fear and reaction in the market when such an incident is publicized, in the form of ultra-believable phishing efforts.
"Victims may get an email: 'We apologize but as you may have heard your data was part of our data breach,'" he explains. "'Please click here to reset your password.' These emails can look identical to emails from Five Guys and they can even spoof the Five Guys domain. Once the user puts in their credentials, they threat actor now has access to all the other sites they use that password on, like PayPal, Amazon, or Venmo."
Tim Morris, chief security adviser at Tanium, also tells Dark Reading that the potential for a cybercrime ripple effect could also include extortion, affecting applicants and organizations alike.
"Any victimized organization could receive double extortion threats — i.e., ask for money to not leak or sell the data," he says. "Individuals whose information is contained in the breach could be victims of triple extortion, whereby the attackers demand money from them to in turn not sell or use their data."
A Smash (& Grab) Burger of Data Theft
Since the data breach notice indicates that the bad guys accessed a single file server, with no lateral movement, this is likely a case of financially motivated attackers looking for low-hanging fruit, researchers say — and finding it.
Restaurants and food-service outlets have a unique set of financial challenges (like razor-thin margins) that can often lead to them deprioritizing security, even as they collect reams of data via online ordering, reservations systems, HR systems, and more, on an order of magnitude that far outstrips other sectors, says Andrew Barratt, vice president at Coalfire.
"The challenge is real — we have adaptive threat actors who will chase down any point of access versus defenders with limited budgets and a whole raft of macro-economic stresses to focus in on too," he says. "Really, we need to keep visibility of these kind of compromises high so that executives don't discount them as 'won’t happen to me.'"
Others are less charitable. Horizon3ai's Hong adds, "Unless the attack vector in this incident was a novel one, all signs point to this incident being another example of a company that chose returns over security. With Five Guys pulling in close to $2 billion in revenue, I’d be interested to see what their cybersecurity spend was."
Meanwhile, Web-facing systems could exacerbate the risk, Casey Ellis, founder and CTO at Bugcrowd, says.
"This sounds a lot like a recruiting system where candidates upload their resumes," he tells Dark Reading. "Having these sorts of systems available to the Internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it's also more available to a potential attacker."
He adds, "Common Web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can enable this type of attacker outcome without the need for lateral movement."
Indeed, Tanium's Morris notes that the most common break-in approaches by threat actors looking for easy pickings tend to be the exploitation of known vulnerabilities, and phishing and stolen credentials. As such, there are simple steps that could make bottom-feeding data thieves simply move on to an easier target.
"Organizations can combat these attacks by having robust life-cycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly," he says. "Asset life-cycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorization processes that includes multifactor authentication need to be employed."