Well-known fast food restaurant chain, KFC, has warned all 1.2 million of its loyalty card customers their details may have been breached after their website had been attacked in a cyber hack.
The fast food chain’s Head of IT, Brad Scheiner, issued the warning saying that “only around 30 members were targeted”.
The insinuation from KFC appears to be that, because only a ‘small’ number of members have been targeted, the breach is less serious. But that isn’t always the case, as any data breach can be a breach of data protection rights afforded to us under the Data Protection Act (DPA).
Precautions taken by the fast food chain
As a precautionary measure, KFC has contacted customers that hold a loyalty card for the Colonel’s Club scheme to warn of the breach, advising people to change passwords. For those members who have used the same password across multiple accounts, this could be disastrous as the cyber-hackers could gain access to more information.
What information was breached?
Members may be able to get comfort from the fact that KFC say that no financial information was compromised. Still, personal details such as names, addresses, email addresses and passwords are thought to be part of the personal information that was hacked.
Additional security measures
The email that the fast food chain sent out said the following:
“…our monitoring systems have found a small number of Colonel Club accounts may have been compromised as a result of our website being targeted.”
This should give some assurance that KFC had some systems in place to detect hacking, but the system is arguably not good enough to completely defend against an attack.
As a result of the attack, KFC has introduced “additional security measures to further safeguard [their] members’ accounts”. This is a common thing with companies and organisations that fall victim to cyber-hacks; they fail to have a secure system but then introduce ‘additional measures’ post-breach (after the damage has been done!).
Do more to protect data; or face the consequences
It’s time for companies and organisations, like KFC, to be proactive in their data protection approach. It’s of little use when their members’ personal data has been breached. Although this may be a ‘small breach’ in terms of numbers involved, this should serve as a warning that the volume of the breach could’ve been much greater, with much more devastating consequences.
The fast food chain were lucky to not be subject to a greater hacking e.g. 1.2 million. However, if they continue to be lax in their cybersecurity, this could be something they face in the imminent future.