Euro Security Watch with Mathew J. Schwartz

Data Breach

Kentucky Fried Breach Who Hacked the Colonel?
Kentucky Fried Breach
Credit: Mike Mozart (Flickr/CC)

In the latest sign that when it comes to data, absolutely nothing is sacred, hackers have set their sights on fans of Kentucky Fried Chicken.

See Also: The Cost of Social Engineering: 3.1 Billion Reasons to Pay Attention

KFC, a Yum Brands chain, is warning 1.2 million members of its loyalty program in the U.K. and Ireland that their login credentials may have been compromised by attackers attempting to guess usernames and passwords. It's sent an email to all program members urging them to change their passwords.

"We've now introduced additional security measures to further safeguard our members' accounts and to stop this kind of thing from happening again." 

"We take the online security of our fans very seriously, so we've advised all Colonel's Club members to change their passwords as a precaution, despite only a small number of accounts being directly affected," Brad Scheiner, Head of IT at KFC UK & Ireland, tells Information Security Media Group. "We don't store credit card details as part of our Colonel's Club rewards scheme, so no financial data was compromised."

The loyalty program, known as the Colonel's Club, involves using an Android or iOS app - or else a physical card - to earn virtual "stamps" every time customers spend a preset amount which they can later exchange for free food.

In a frequently asked questions section on KFC's website, the chain promises: "Please don't worry, your information is safely locked away with us and will not be shared with anyone."

KFC says it has more than 20,000 outlets in 125 countries and territories around the world. But Colonel's Club only works in the United Kingdom and Ireland, meaning the breach is restricted to just those geographies.

In its email to customers, the chain says that it's "monitoring systems" helped spot that "a small number of Colonel's Club accounts may have been compromised as a result of our website being targeted."

A spokesman tells me: "As a result of automated software attempting to guess Colonel's Club members' passwords, we have implemented changes to our back-end and front-end systems. One thing customers may notice is the addition of reCAPTCHA on the website which is used to distinguish between human and software login attempts."

KFC believes that only about 30 of its 1.2 million members had been targeted.

Loyalty Programs Under Fire

The breach, of course, is the latest reminder to users to never reuse the same password on different sites. Instead, many security experts recommend that everyone always employ a password manager to keep track of unique passwords for every site they use. Password managers can be used as standalone apps on laptops, desktops or mobile devices, as well as via services with an online component (see Why Are We So Stupid About Passwords? Yahoo Edition).

This isn't the first time that fraudsters have targeted a chain's loyalty program (see Fraudsters Drain Starbucks Accounts).

But Colonel's Club users may be getting off easy, vis-à-vis many other types of hack attacks.

Since the Colonel's Club program doesn't give customers the ability to tie payment cards to the account or charge them up with virtual cash, the only thing at risk is that users might lose a free "Flamin Wrap" or two.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network