KFC, Pizza Hut and Taco Bell owner Yum! Brands is warning thousands of customers that their personal data may have been stolen in a data breach triggered by a ransomware attack in January.
The company admitted the cyberattack on January 18, in a move that forced it to shut down systems to contain the incident and close about 300 restaurants in the UK for one day.
Yum says that it took immediate action to secure affected systems, informed the authorities, including the Information Commissioner’s Office and brought in top digital forensics and restoration teams to handle the situation.
Despite the ransomware attack forcing the closure of a large number of its UK restaurants, Yum! initially stated that there was no sign that the hackers had stolen any personal customer data.
However, Yum! is now issuing letters to affected individuals, clarifying that some of their personally identifiable information (PII) was indeed compromised in the incident, although it has stressed that there is no evidence that the data has been used in any malicious attacks.
Even so, Yum! urged those affected to remain alert to the possibility of identity theft and fraud by reviewing their account statements and monitoring any available credit reports for any unauthorised or suspicious activity.
The company also said customers should be cautious about responding to any emails, phone calls, or other forms of contact that request personal or sensitive information.
Yum! Brands, along with its subsidiaries, manages or franchises over 55,000 restaurants in 155 countries and territories.
The firm has also admitted that some of its 36,000-strong workforce have been affected.
A spokesperson said: “In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cybersecurity incident. We have no indication that customer information was impacted.”
It is offering complimentary credit monitoring and identity protection services to affected individuals for two years through IDX. This also includes dark web monitoring to detect whether any of the compromised data has surfaced on illicit online forums.
Royal Mail ransom demands ‘hold lessons for all firms’
Firms suffer as Royal Mail fails to lift block on new post
Tech security staffer gets 5 years for ransomware spree
Wakey, wakey: Data breaches cost UK firms £4bn a year
Under siege: Marketers’ favourite password is ‘123456’