KFC, Pizza Hut, and Taco Bell Data Breach

Yum! Brands, the company that owns KFC, Pizza Hut and Taco Bell, has admitted that a ransomware attack they fell victim to has compromised customer data. This attack dates back as early as January 13th, with Yum! Brands being forced to close nearly 300 restaurants across the U.K. as a direct result. Five days after the attack, on January 18th, the company announced that the attack had not impacted any customer data.

However, further investigations by Yum! Brands have revealed this not to be the case, with evidence revealing that customers' personal information had indeed been stolen by the attackers. This information included names, addresses, driver licence numbers, and other forms of ID.

On April 11th, Yum! Brands informed their customers of the full extent of the previous incident. "We are writing to provide you with information about a cybersecurity incident involving your personal information that occurred in mid-January 2023," a company spokesman wrote. "Our review determined that the exposed files contained some of your personal information, including [Name or other personal identifier in combination with: Driver's License Number or Non-Driver Identification Card Number]."

Javvad Malik, Lead Awareness Advocate at KnowBe4 highlights that customer data is the most priceless asset that companies own. "When one thinks of the major brands under the Yum! group, one would be quick to assume that the Colonel's 11 secret herbs and spices were the most priceless info these companies held. However, it's not just the finger-lickin' recipes which criminals are after; any personal data which organisations collect which belongs to employees or customers can be easily monetised and turned around by criminals."

Jon Miller, CEO & Co-founder of Halcyon, backs this up, writing that "given how common it is for ransomware attacks to include the exfiltration of sensitive data, we should start talking about this issue as a data exfiltration attack problem that includes the delivery of a ransomware payload, instead of the other way around. While it may be a painful process to mitigate the impact of a ransomware attack, if the organisation made the effort to build-in resilience to its incident response plans, it will recover. There is no recovery from data exfiltration - once the attackers have your data, it is beyond your control what happens to it."

Darren Williams, CEO and Founder of BlackFog states that "this attack highlights not only the direct costs of a ransomware attack, but also the flow-on effects such as remediation, reporting and exposure to class action lawsuits. The additional regulatory reporting requirement for PII raises additional concerns and raises questions about the extent of the data exfiltration that has taken place. There is no question that this information will be sold on underground trading networks on the Dark Web such as Industrial Spy as we have seen in the past."