Five Guys delaying breach disclosure favors attackers


Once breached, companies are in no rush to inform people somebody has stolen their data, giving ample time for crooks to prepare.

Five Guys, a popular American fast-food chain, had attackers penetrate its systems, accessing sensitive employee data, such as names, Social Security numbers (SSNs), and driver‘s license numbers.

Personal data taken from companion identification and work authorization documents presents attackers with a treasure trove of information to carry out cyberattacks, Neil Jones, Director of CyberSecurity Evangelism at cybersecurity firm Egnyte, thinks.

“Although there’s no current evidence that the breached information has been used maliciously, it is not uncommon for attackers to wait for just the right moment to post their breached data to the Web,” Jones said.

Five Guys operates in over 1,700 locations worldwide, employs over 5,000 people, and boasts a revenue north of $1.7 billion.

“Waiting three months after a breach has been identified to inform victims is a situation all organizations should strive to avoid.”

Schroeder said.

Sluggish reaction

While Five Guys disclosed the breach on December 29 last year, the attack occurred on September 17. According to Julia O’Toole, CEO of cybersecurity firm MyCena Security Solutions, the company’s actions somewhat benefited the attackers.

“This is yet another incident where attackers have managed to breach an organization’s network, and the victims whose data was stolen were not informed until months later, offering attackers ample time to use that information to commit credit and identity fraud,” O’Toole said.

Organizations that store data are responsible for keeping it safe, thinks Jordan Schroeder, managing CISO of cybersecurity firm Barrier Networks, said. Not only that, but companies should also employ strict threat monitoring practices to briskly inform victims someone stole their data.

“Waiting three months after a breach has been identified to inform victims is a situation all organizations should strive to avoid,” Schroeder said.

Identity theft

Attacks that result in the theft of personal identifiable information (PII) are particularly dangerous, Schroeder explained.

Threat actors may use stolen personal data for identity theft. The practice often includes fraudulent purchases that end up on the victim’s credit report.

Even though losing an SSN can present victims with thousands of dollars of damages, cybercriminals sell individual SSNs on the darkweb for as little as $4.

To increase the worth of the data, threat actors collate datasets with thousands of individuals, adding additional information, such as a home address, driver’s license number, and anything else they can get their hands on.


More from Cybernews:

How hackers might be exploiting ChatGPT

ChatGPT blocked in NYC schools over cheating concerns

Russian threat group using other crooks’ malware to target Ukraine, says watchdog

Latest phishing campaign hits Zoom users with malware

WhatsApp enables messaging during internet shutdowns

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked