Brent Hofacker - Fotolia

KFC, Pizza Hut data stolen in January ransomware attack

Yum!, the parent organisation behind KFC and Pizza Hut in the UK, has disclosed that employee data was accessed and exfiltrated in a January 2023 ransomware attack

Yum!, the US-based parent organisation of KFC and Pizza Hut, has written to a number of employees whose data was stolen by the undisclosed ransomware gang that attacked its systems in January 2023, resulting in the temporary closure of 300 UK outlets.

Upon detecting the initial incident, the organisation’s planned response protocols swung into action. Yum! deployed containment measures to prevent further damage and took affected systems offline, implemented enhanced monitoring, engaged a third-party cyber forensics specialist, and notified US law enforcement.

The organisation said at the time that it was aware that data was taken from its network, but said there was no evidence that customer databases were stolen.

A Yum! spokesperson said: “In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cyber security incident. We are in the process of sending individual notifications and are offering complimentary monitoring and protection services. We have no indication that customer information was impacted.”

In the letter, dated 6 April, Yum! said that the exposed data included names and personal identifiers linked to driver’s licences and other forms of personal identification.

It added that it has not found any evidence of fraud or identity theft linked to this data, but nevertheless, those affected are being offered two years’ of credit monitoring and identity protection services through IDX.

UK impact unclear

Despite the initial incident having a UK-wide impact, which saw restaurants around the country unable to trade, the form letter relates to US employees of the organisation.

Computer Weekly understands that the majority of affected employees were in the US, and the Information Commissioner’s Office (ICO) said it had not been notified of an incident. Under UK law, organisations must notify it within 72 hours of becoming aware of a personal data breach unless said breach does not pose a risk to people’s rights or freedoms. If an organisation chooses not to report a breach it should still maintain a record of it and be prepared to explain why it was not reported.

In its 2022 annual report, filed earlier in April, Yum! acknowledged that the incident did have a significant impact on its business. It said: “We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter.

“We remain subject to risks and uncertainties as a result of the incident, including as a result of the data that was taken from the company’s network.”

Jon Miller, CEO of anti-ransomware specialist Halcyon, said that the three-month gap between the initial incident and the breach disclosure should not come as a surprise, given how long such investigations take to complete, particularly for public, regulated companies.

“One would think that – given how ransomware attacks are designed to reveal themselves to the victim, unlike other attacks – disclosure of the details would come swiftly. That’s not necessarily the case with these attacks that not only deliver ransomware but are also stealthy data exfiltration operations,” he explained.

“Up to the point the ransomware payload is delivered, there is little difference between these cyber criminal ransomware operations and corporate or government espionage attacks. These are complex, multi-stage operations often involving multiple threat actors.

“Their goal, like that of their espionage-focused counterparts, are determined to be as quiet as possible while infiltrating as much of the targeted network and exfiltrating as much sensitive data as they can and then leveraging it for a bigger ransom demand,” said Miller.

“In most respects, the only difference between a corporate espionage operation and a ransomware attack is that in the latter the attackers plan on revealing the attack to the victim in time.”

This article was edited at 15:15 on 11 April 2023 to incorporate an official statement from Yum!.

Read more about recent data breaches

Read more on Data breach incident management and recovery

Data Center
Data Management