KFC Warns 1.2 Million UK Customers of Colonel’s Club Breach

KFC Corporation warned 1.2 million of its UK-based Colonel’s Club members to reset their passwords after 30 members were targeted in an attack.

Update KFC Corporation warned 1.2 million of its U.K.-based Colonel’s Club members to reset their account passwords after 30 members were targeted in an attack. The subsidiary of Yum Brands said that personal information including names, addresses, e-mail addresses may have been stolen.

The Colonel’s Club loyalty program is exclusive to the U.K. and Ireland and consists of a Colonel’s Club mobile app and rewards card. Yum Brands did not respond to questions seeking specifics on the breach such as when it occurred and the extent of the breach. A KFC spokesperson did reveal that its loyalty system faced a password attack from automated software that attempted to guess Colonel’s Club members’ passwords.

Brad Scheiner, head of IT at KFC U.K. and Ireland said in a statement:

“We take the online security of our fans very seriously, so we’ve advised all Colonel’s Club members to change their passwords as a precaution, despite only a small number of accounts being directly affected. We don’t store credit card details as part of our Colonel’s Club rewards scheme, so no financial data was compromised.”

In its letter to customers, KFC said it has “introduced additional security measures to further safeguard our members’ accounts and to stop this kind of thing happening again.” To ward off future password attacks, KFC said it added an additional reCAPTCHA on its Colonel’s Club members’ website, which is used to distinguish between human and software login attempts.

Yum Brands is the subsidiary owner of approximately 43,000 restaurants that include KFC, Pizza Hut and Taco Bell located in 135 countries.

Password resets have been triggered by an avalanche of companies in 2016 such as LinkedIn, Twitter, Tumblr and MySpace – all victims of breaches. Hackers target user credentials in hopes people reused them at other more sensitive email and financial accounts.

The average number of accounts registered to one email account for 25-34-year-olds is more than 40, according a survey by credit-checking firm Experian. And on average, users had only five different passwords for those 40 accounts, it reported. For those reasons we are seeing an unprecedented push by online companies urging their customers to change their passwords even if not directly impacted by a breach. Facebook and Netflix asked users earlier this year to tighten up account security following major breaches.

In its email, KFC also urged Colonel’s Club members to reset login credentials at other sites that use the same password.

(Story was updated 1:30 p.m. ET 12/13 to reflect a statement from KFC describing the nature of the attack and its mitigation efforts.)

Suggested articles

Threatpost News Wrap, February 24, 2017

Mike Mimoso and Chris Brook recap RSA and discuss the news of the week including the impact of Cloudflare’s “Cloudbleed” bug, Google breaking SHA-1, and more.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.