Chick-fil-A has given an update on the data breach it confirmed in January, saying that the restaurant chain is taking the “necessary efforts” to protect its systems and customers.
After a thorough investigation, Chick-fil-A said in a statement Friday that less than 2% of the members of its Chick-fil-A One loyalty program were impacted by the issue.
In a letter sent to affected users Thursday, Chick-fil-A says the breach may have exposed personal data such as names, birthdays, email addresses, account passwords and credit/debit card information. The privately-held Atlanta-based company has informed these members about the breach, and what steps they should take next.
“We never want our customers to experience something like this and have communicated directly with those impacted to resolve these issues, while taking necessary efforts to protect our systems and our customers for the future,” the statement said. “We are grateful for our customers’ patience while we worked to resolve this issue and sincerely apologize for any inconvenience caused.”
Read the full statement below:
MarketWatch has contacted Chick-fil-A for additional details on the breach.
See Now: The Unconventional Franchise Model Behind Chick-fil-A’s Success
On Jan. 4, Chick-fil-A issued a statement saying that it was aware of suspicious activity on some of its customers’ Chick-fil-A One accounts. The company said it was investigating how certain customers became subject to the fraudulent activity, which it said was not due to a compromise of its internal systems.
Chick fil-A had fallen victim to “credential stuffing” attacks, with accounts stolen and sold online, according to reports, with the Bleeping Computer website reporting that accounts were sold for $2 to $200. In credential stuffing, stolen credentials are used to log onto another service.
In a letter to affected customers that was filed with the California Attorney General’s office, Chick fil-A said that “unauthorized parties” launched an automated attack against its website and mobile app between Dec. 18, 2022 and Feb. 12, 2023, using account credentials such as email addresses and passwords. The account credentials were obtained from a third-party source, it said.
“This information may have included your name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any),” the company added. “In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address. Importantly, unauthorized parties would only have been able to view the last four digits of your payment card number.”
See Now: The spending life of U.S. teens: Chick-fil-A, Nike and bitcoin
Chick fil-A says that, as soon as it discovered the incident, it required customers to reset passwords, removed any stored credit/debit card payment methods, and temporarily froze funds previously loaded onto customers’ Chick-fil-A One accounts. “We also restored customers’ Chick-fil-A One account balances, which may have included a refund to your original form of payment, where possible,” it said.
The company also urged affected customers to reset their passwords, if they have not done so already, and to use a strong, new password that is unique to Chick-fil-A. The restaurant chain also provides information on its website for customers who notice suspicious activity on their accounts.
This post was originally published on Market Watch
