Chick-fil-A has given an update on the data breach it confirmed in January, saying that the restaurant chain is taking the “necessary efforts” to protect its systems and customers.
After a thorough investigation, Chick-fil-A said in a statement Friday that less than 2% of the members of its Chick-fil-A One loyalty program were impacted by the issue. The company has contacted the affected customers.
In a letter sent to affected users Thursday, Chick-fil-A says the breach may have exposed personal data such as names, birthdays, email addresses, account passwords and credit/debit card information. The privately held Atlanta-based company has informed these members about the breach and what steps they should take next.
“We never want our customers to experience something like this and have communicated directly with those impacted to resolve these issues, while taking necessary efforts to protect our systems and our customers for the future,” the statement said. “We are grateful for our customers’ patience while we worked to resolve this issue and sincerely apologize for any inconvenience caused.”
Read the full statement below:
See Now: The Unconventional Franchise Model Behind Chick-fil-A’s Success
On Jan. 4, Chick-fil-A issued a statement saying that it was aware of suspicious activity on some of its customers’ Chick-fil-A One accounts. The company said it was investigating how certain customers became subject to the fraudulent activity, which it said was not due to a compromise of its internal systems.
Chick-fil-A had fallen victim to “credential stuffing” attacks, with accounts stolen and sold online, according to reports, with the Bleeping Computer website reporting that accounts were sold for $2 to $200. In credential stuffing, stolen credentials are used to log onto another service.
In a letter to affected customers that was filed with the California Attorney General’s office, Chick-fil-A said that “unauthorized parties” launched an automated attack against its website and mobile app between Dec. 18, 2022, and Feb. 12, 2023, using account credentials such as email addresses and passwords. The account credentials were obtained from a third-party source, it said.
“This information may have included your name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any),” the company added. “In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address. Importantly, unauthorized parties would only have been able to view the last four digits of your payment card number.”
See Now: The spending life of U.S. teens: Chick-fil-A, Nike and bitcoin
Chick-fil-A says that, as soon as it discovered the incident, it required customers to reset passwords, removed any stored credit/debit card payment methods, and temporarily froze funds previously loaded onto customers’ Chick-fil-A One accounts. “We also restored customers’ Chick-fil-A One account balances, which may have included a refund to your original form of payment, where possible,” it said.
The company also urged affected customers to reset their passwords, if they have not done so already, and to use a strong, new password that is unique to Chick-fil-A. The restaurant chain also provides information on its website for customers who notice suspicious activity on their accounts.
If customers have any questions about the incident or their account they can call Chick-fil-A via this toll-free number: (833) 753-4428.
Privacy experts urged Chick-fil-A customers to be on the lookout for scams. “Bad actors definitely harvested plenty of customer info in this breach, grabbing more than enough information to facilitate plenty of phishing schemes,” said Chris Hauk, consumer privacy advocate at the Pixel Privacy website. “Chick-fil-A customers should stay alert for phishing emails, texts, and phone calls.”
“This incident underscores the need to set unique passwords for each of your online accounts,” said Paul Bischoff, privacy advocate at the Comparitech privacy information website. “If you reuse the same password on multiple accounts and one of them is compromised, then they can all be compromised.”
Bischoff urged customers to use a password manager if they can’t memorize unique passwords and enable two-factor authentication on their Chick-fil-A accounts.