KFC, Pizza Hut parent discloses data breach

Yum! Brands hit with ransomware

Yum! Brands discloses personal data compromise following ransomware attack

Image:

Yum! Brands discloses personal data compromise following ransomware attack

Yum! Brands, the company that owns KFC, Taco Bell and Pizza Hut, is notifying employees that their personal info may have been stolen in a cyberattack earlier this year.

Yum! Brands, the company that owns KFC, Taco Bell and Pizza Hut, is notifying an undisclosed number of individuals about their personal data being affected by a data breach from a ransomware attack in January.

Yum! disclosed the cyberattack on 18th January, leading to the company shutting down systems to contain the incident and temporarily closing about 300 restaurants in the UK for a day.

Upon discovering the cybersecurity incident the company took immediate action to secure affected systems, informed law enforcement and worked with digital forensics and restoration teams to remediate the situation.

After containing the incident the company conducted an assessment, with the help of external experts, to determine if any individuals' personal data was present in the impacted files.

Despite the ransomware attack forcing the closure of a large number of its UK restaurants, Yum! initially said there was no indication that the hackers had exfiltrated any personal data.

However, the company is now issuing notification letters to affected individuals, clarifying that some of their personally identifiable information (PII) was indeed compromised in the incident.

"Our review determined that the exposed files contained some of your personal information, including [Name or other personal identifier in combination with: Driver's License Number or Non-Driver Identification Card Number]," the company wrote in a letter to affected people.

The company underscored that there is no evidence indicating that the compromised data has been used in any malicious attacks.

As a general precaution, Yum! recommends that impacted individuals remain alert to the possibility of identity theft and fraud by reviewing their account statements and monitoring any available credit reports for any unauthorised or suspicious activity.

The company also advises caution when responding to any emails, phone calls, or other forms of contact that request personal or sensitive information.

Yum has disclosed in its annual report [pdf] filed with the US Securities and Exchange Commission that while the intrusion resulted in costs for the company, it did not have a significant negative financial impact.

Yum! Brands, along with its subsidiaries, manages or franchises over 55,000 restaurants in 155 countries and territories, with the assistance of approximately 36,000 employees worldwide.

"In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cybersecurity incident," a spokesperson said. "We have no indication that customer information was impacted."

It is offering complimentary credit monitoring and identity protection services to affected individuals for two years through IDX.

These services encompass credit monitoring, a $1,000,000 insurance reimbursement policy, and complete managed identity restoration in the event that an individual becomes a victim of identity theft.

They also include dark web monitoring to detect whether any of the compromised data has surfaced on illicit online forums.

Update 12th April: This story was updated with the information that employee data, not customer data, was affected in the attack.