newsycanuse

KFC, Pizza Hut data stolen in January ransomware attack

pizza

Yum!, the parent organisation behind KFC and Pizza Hut in the UK, has disclosed that employee data was accessed and exfiltrated in a January 2023 ransomware attack

Alex Scroxton

By

Published: 11 Apr 2023 14:45

Yum!, the US-based parent organisation of KFC and Pizza Hut, has written to a number of employees whose data was stolen by the undisclosed ransomware gang that attacked its systems in January 2023, resulting in the temporary closure of 300 UK outlets.

Upon detecting the initial incident, the organisation’s planned response protocols swung into action. Yum! deployed containment measures to prevent further damage and took affected systems offline, implemented enhanced monitoring, engaged a third-party cyber forensics specialist, and notified US law enforcement.

The organisation said at the time that it was aware that data was taken from its network, but said there was no evidence that customer databases were stolen.

A Yum! spokesperson said: “In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cyber security incident. We are in the process of sending individual notifications and are offering complimentary monitoring and protection services. We have no indication that customer information was impacted.”

In the letter, dated 6 April, Yum! said that the exposed data included names and personal identifiers linked to driver’s licences and other forms of personal identification.

It added that it has not found any evidence of fraud or identity theft linked to this data, but nevertheless, those affected are being offered two years’ of credit monitoring and identity protection services through IDX.

UK impact unclear

Despite the initial incident having a UK-wide impact, which saw restaurants around the country unable to trade, the form letter relates to US employees of the organisation.

Computer Weekly understands that the majority of affected employees were in the US, and the Information Commissioner’s Office (ICO) said it had not been notified of an incident. Under UK law, organisations must notify it within 72 hours of becoming aware of a personal data breach unless said breach does not pose a risk to people’s rights or freedoms. If an organisation chooses not to report a breach it should still maintain a record of it and be prepared to explain why it was not reported.

In its 2022 annual report, filed earlier in April, Yum! acknowledged that the incident did have a significant impact on its business. It said: “We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter.

“We remain subject to risks and uncertainties as a result of the incident, including as a result of the data that was taken from the company’s network.”

Jon Miller, CEO of anti-ransomware specialist Halcyon, said that the three-month gap between the initial incident and the breach disclosure should not come as a surprise, given how long such investigations take to complete, particularly for public, regulated companies.

“One would think that – given how ransomware attacks are designed to reveal themselves to the victim, unlike other attacks – disclosure of the details would come swiftly. That’s not necessarily the case with these attacks that not only deliver ransomware but are also stealthy data exfiltration operations,” he explained.

“Up to the point the ransomware payload is delivered, there is little difference between these cyber criminal ransomware operations and corporate or government espionage attacks. These are complex, multi-stage operations often involving multiple threat actors.

“Their goal, like that of their espionage-focused counterparts, are determined to be as quiet as possible while infiltrating as much of the targeted network and exfiltrating as much sensitive data as they can and then leveraging it for a bigger ransom demand,” said Miller.

“In most respects, the only difference between a corporate espionage operation and a ransomware attack is that in the latter the attackers plan on revealing the attack to the victim in time.”

This article was edited at 15:15 on 11 April 2023 to incorporate an official statement from Yum!.

Read more on Data breach incident management and recovery

Read More
Sharie Volkman

Latest

Newsletter

Don't miss

newsycanusehttps://newsycanuse.com

WD sees sustainability as key business driver in an ‘AI economy’

Hard drive company WD promoted long-term operations and sustainability executive Jackie Jung to become its first chief sustainability officer in February, as it steps up sales to companies building AI data centers. Her vision: Turn sustainability into a “brand” for WD, a strategy that reduces risk for the $6 billion company (formerly known as Western
Read more

5 Business Ideas Worth Starting in 2026

If there is one thing Nigerians understand well, it is how to spot opportunity inside hardship. In 2026, that mindset will matter more than ever. The economy is tough, competition is rising, and many people are looking for smarter ways to earn, build, and survive. But even in a difficult environment, some businesses still stand
Read more

Getting a business loan now comes with a frequent flyer upside

Australian fintech Prospa has partnered with Qantas Business Rewards, letting eligible SMEs earn up to 500,000 points per loan. What’s happening: Australian fintech lender Prospa has partnered with Qantas Business Rewards to allow eligible small and medium business owners to earn up to 500,000 Qantas Points per loan when taking out a Prospa Small Business
Read more