News
Expert commentary: Five Guys data breach
January 2023 by Tim Morris, Chief Security Advisor at Tanium
The fast food chain Five Guys has experienced a data breach. Cyberattackers broke into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain. The comment attributed to Timothy Morris, Chief Security Advisor at Tanium:
“The Five Guys CEO letter says the attackers gained access to a file server but no lateral movement is mentioned. This seems therefore like a smash-and-grab kind of situation. The common break-in approaches for attacks like these are via exploitation of vulnerabilities, phishing, malware, and stolen credentials. Motivation for data theft is almost always monetary. This incident appears to be data related to the employment process. That data typically contains PII that can be sold on the dark web, used for identity theft, or extortion.
The most common initial attack vectors are exploitation of vulnerabilities and stolen credentials. Organisations can combat these by having robust lifecycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly. Asset lifecycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorisation processes that includes MFA need to be employed.
Overall, there need to be better standards when it comes to flagging the issue and sending a customer notification letter. In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law. This requires the “Cybersecurity and Infrastructure Security Agency (CISA) to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.”
The CIRCIA is for critical infrastructure industries, like power, transportation, financial services, etc. and potential regulated communities. Reporting is currently voluntary. Some industries like financial services have additional reporting requirements, e.g., SEC, or OCC. Regulations have not reached all industries.
After the Five Guys attack, there is potential here for a ripple effect. Any victimised organisation could receive double extortion threats, i.e., ask for money to not leak or sell the data. Individuals whose information is contained in the breach could be victims of “triple extortion” whereby the attackers demand money from them to in turn not sell or use their data.
It is important for anyone impacted by this breach to take advantage of the credit monitoring being made available. Follow the steps suggested in the CEO letter for fraud alerts and credit or security freezes. Victims should monitor their bank accounts closely and have their transaction alerts activated.”
