KFC, home of such culinary delicacies as the Zinger Burger and the Original Recipe Bargain Bucket, says that some members of its Colonel’s Club have had their accounts breached.
Members of the Colonel’s Club collect “Chicken Stamps” to earn free food rewards, and can receive exclusive offers from KFC. I know, I know… it sounds incredible.
But what’s less easy to swallow is that hackers may have broken into a “small number” of Colonel Club accounts. As a consequence, KFC has emailed members telling them that they should change their password:
Our monitoring systems have found a small number of Colonel’s Club accounts may have been compromised as a result of our website being targeted. Whilst it’s unlikely you have been impacted, we advise that you change your password as a precaution. If you use the same email address and password across other services, you should also reset them, just to be safe.
To be fair to KFC, I like that they have been transparent about what’s happened and that they’re giving the sensible advice that users should also reset their passwords elsewhere on the net if they were reusing the same passwords (as we’ve mentioned before, reusing the same password in multiple places is one of the biggest mistakes you can make with passwords).
KFC told ITV News that the Colonel’s Club does not store any payment information, so the financial details of members have not been put at risk. Additionally, the company said that “only 30 of its 1.2 million members had been targeted but that all customers had been informed.”
That’s all sounds like good news to me.
It would be nice, however, to know what other information the hackers might have accessed. For instance, it would be a surprise if the hackers had managed to access passwords but *not* the users’ email addresses. It’s easy to imagine how an attacker might craft a phishing email and spam it out to KFC lovers.
At least KFC weren’t too chicken to ‘fess up to what appears to have happened. Still, it would be nice for them to share more information in time about precisely *how* the hackers may have breached their systems – in case there are lessons that other businesses could learn from the experience.
Unfortunately there’s no guarantee that more information will be released. Many companies don’t like to risk revealing where they’ve goofed up when it comes to security in case they’re left with err.. egg on their face.
Also an interesting example of malefactors going after a superficially low value target (assuming that payment card details weren't accessed) presumably purely to attempt to harvest and reuse the credentials elsewhere or as you state attempt a follow up phishing campaign. Perhaps the positive that could be taken from this is that criminals are resorting to targettingt the Colonel's Chicken Club, but in the context of the worrying phrase that I still hear from smaller/niche businesses: 'why would anybody want to hack us?'