Yum!, the US-based parent organisation of KFC and Pizza Hut, has written to a number of employees whose data was stolen by the undisclosed ransomware gang that attacked its systems in January 2023, resulting in the temporary closure of 300 UK outlets.
Upon detecting the initial incident, the organisation’s planned response protocols swung into action. Yum! deployed containment measures to prevent further damage and took affected systems offline, implemented enhanced monitoring, engaged a third-party cyber forensics specialist, and notified US law enforcement.
The organisation said at the time that it was aware that data was taken from its network, but said there was no evidence that customer databases were stolen.
In a new statement provided to Bleeping Computer, a Yum! spokesperson said that during the course of the organisation’s investigation it identified that some personal information relating to employees was exposed. They said the company was still in the process of sending out individual notifications and would be offering complimentary monitoring and protection services.
The spokesperson added that the investigation had still turned up no evidence that any customer data was exposed.
In the letter, dated 6 April, Yum! said that the exposed data included names and personal identifiers linked to driver’s licences and other forms of personal identification.
It added that it has not found any evidence of fraud or identity theft linked to this data, but nevertheless, those affected are being offered two years’ of credit monitoring and identity protection services through IDX.
UK impact unclear
Despite the initial incident having a UK-wide impact, which saw restaurants around the country unable to trade, the form letter relates US employees of the organisation.
Computer Weekly contacted Yum! seeking to establish the extent of any impact on UK employees, but the organisation had not responded at the time of writing.
The Information Commissioner’s Office (ICO) said it had not been notified of an incident. Under UK law, organisations must notify it within 72 hours of becoming aware of a personal data breach unless said breach does not pose a risk to people’s rights or freedoms. If an organisation chooses not to report a breach it should still maintain a record of it and be prepared to explain why it was not reported.
In its 2022 annual report, filed earlier in April, Yum! acknowledged that the incident did have a significant impact on its business. It said: “We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter.
“We remain subject to risks and uncertainties as a result of the incident, including as a result of the data that was taken from the company’s network.”
Jon Miller, CEO of anti-ransomware specialist Halcyon, said that the three-month gap between the initial incident and the breach disclosure should not come as a surprise, given how long such investigations take to complete, particularly for public, regulated companies.
“One would think that – given how ransomware attacks are designed to reveal themselves to the victim, unlike other attacks – disclosure of the details would come swiftly. That’s not necessarily the case with these attacks that not only deliver ransomware but are also stealthy data exfiltration operations,” he explained.
“Up to the point the ransomware payload is delivered, there is little difference between these cyber criminal ransomware operations and corporate or government espionage attacks. These are complex, multi-stage operations often involving multiple threat actors.
“Their goal, like that of their espionage-focused counterparts, are determined to be as quiet as possible while infiltrating as much of the targeted network and exfiltrating as much sensitive data as they can and then leveraging it for a bigger ransom demand,” said Miller.
“In most respects, the only difference between a corporate espionage operation and a ransomware attack is that in the latter the attackers plan on revealing the attack to the victim in time.”