It’s not every day that I get to report a breach at my favorite burger joint in the world, but when duty calls, make sure your burger joint’s data is secure — no one wants a breachy burger!
Who are Five guys?
Five Guys is a global burger restaurant chain for those who have been living in a nuclear bomb shelter in recent years. They are successful because of their focus on high-quality ingredients, generous portions, and customer service. They use only fresh, never frozen ground beef, and their burgers are cooked to order in their open kitchens. They also offer a large selection of free toppings. Additionally, Five Guys Burgers is known for its positive and upbeat atmosphere, which provides guests with an enjoyable and memorable dining experience.
The first Five Guys location opened in Arlington, VA and currently they have more than 1,700 locations over the world and another 1,500 in development.
According to a data breach document released by Five Guys, and a version of it was also published by the official Massachusetts Commonwealth website, the company reported that on September 17th, 2022, files on their server were accessed by an unauthorized actor, and on December 8th, it was concluded that files submitted to the company with names and other information were accessed during an employment process that was in progress.
The measures taken to mitigate the data breach
Five Guys issued credit for monitoring and identity protection services through a company at no cost to people who might have been hurt by this data breach. The protection service also includes 2 years of cyber scan monitoring and $1 million in insurance.
But one might say that yes, Five Guys is taking important and interesting steps by notifying the people whose information was breached, but what does the company do? This, however, has yet to be discovered.
Is it an API Security issue?
From the sound of it, yes, it might be an excessive data exposure, a security misconfiguration, or even an IDOR. My guess is that time will tell if it’s a deeper hack or just a script kiddie prank made to prove a point, as overall it happened in the employment process of the company.
The API Security and business logic take
All in all, if his data breach incident is related to an API that was used by the company, there are easy measures that can be taken in order to prevent such incidents, even starting in the CI/CD development pipeline. There are a number of solutions for that, including free and open-source tools that can find misconfigurations in API specifications and even deal with IDOR to some extent.
Update: On December 30th, Turke & Strauss LLP, with its main office in Madison, WI, posted on their blog that they would like to speak with anyone who received a breach notification letter from Five Guys and released a statement on their website about rights and potential legal remedies in response to the breach Five Guys suffered. Anyone who answers this call may reach them through a contact form they made possible in that blog post.
In conclusion, Five Guys, the beloved global burger chain, recently experienced a data breach that affected files submitted to the company during an ongoing employment process. While the company has taken steps to offer credit monitoring and identity protection services to those affected, it remains to be seen what measures they will take to prevent similar incidents in the future. It is possible that the breach was related to an API security issue, but only time will tell. Regardless, this serves as a reminder to all companies to prioritize data security and to take preventative measures to protect against breaches. Remember, no one wants a breachy burger!
Note that no burgers were harmed while writing this article, but I’m sure as hell hungry now.