Photo by Jace Miller on <a href="https://www.pexels.com/photo/woman-sitting-at-a-table-holding-a-cup-of-drink-9659880/" rel="nofollow">Pexels.com</a>
One-sentence summary:
Chick-fil-A recently concluded a credential stuffing campaign breaching the sensitive data of over 71,000+ customers.
Who was involved?
71,000 Chick-fil-A customers, Chick-fil-A, and a threat actor.
What was the timeline?
December 18, 2022: Attack starts
February 12, 2023: Chick-fil-A discovers the breach and the attack ends (Chick-fil-A, Inc., 2023, p. 1).
March 2, 2023: Chick-fil-A begins notification of affected parties.
What occurred?
An “automated” credential stuffing attack occurred against Chick-fil-A’s web and mobile application via stolen credentials obtained through an external means (Chick-fil-A, Inc., 2023, p. 1). Over 71,473 customers were affected (Peretti, 2023). Information breached included “name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any)” and, “if saved to your account,” “month and day of your birthday, phone number, and address” (Chick-fil-A, Inc., 2023, p. 1).
Estimated costs:
Data breach notification costs. “National forensics firm” and incident response costs (Chick-fil-A, Inc., 2023, p. 1). M-F call center.
Involved laws:
State laws: Maine: 10 M.R.S.A. § 1346
California: CCPA and Cal. Civ. Code § 1798.29(a)
Root cause:
Credential stuffing.
Lessons learned:
Good password hygiene, password reuse education, lockout policies, strong password policies, mandatory 2FA, breach-checking/breach warning password managers.
Sources:
Chick-fil-A, Inc. (2023). Individual Notification Template. In Office of the Maine Attorney General. Office of the Maine Attorney General. Retrieved March 7, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/66699dcb-5f86-40bb-9d12-d64dea06faca/ec19585c-8c34-4293-b2df-199b6a6ab9a0/document.html
Peretti, K. (2023, March 2). Office of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches. Office of the Maine Attorney General. Retrieved March 7, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/66699dcb-5f86-40bb-9d12-d64dea06faca.shtml
