Customers of TGI Fridays Australia were “strongly recommended” to change their MyFridays membership rewards program passwords. According to an email sent to customers this week, the company had inadvertently left sensitive loyalty program data exposed on the internet.
News of the leaky server spread via social media, but on Thursday TGI Fridays Australia confirmed to Threatpost that there was a potential leak of data.
The company explained to Threatpost the publicly exposed data included “back-up files containing data related to an Australian customer program. This did not include any financial information and there has not been any malicious data breach or hack.”
TGI Fridays has a total 13 franchises in Australia compared to 404 restaurants located in the United States.
“All MyFridays member passwords are securely hashed, however we strongly recommend you reset your MyFridays Reward password and consider changing any and number,” the company wrote. The chain also recommended that customers use caution when considering unsolicited communications via email that requests personal information or points to websites.
Whoops. Unsecured S3 bucket? Pretty reasonable message though. @troyhunt pic.twitter.com/uDnN4fkTzj
— Andrew Brock (@AndrewBrocky) August 27, 2019
The company stressed that the instance of the leaky server is an isolated matter only impacting TGI Fridays Australia with no connection or impact to TGI Fridays USA or any other global markets.
When asked, the company declined to say how many customers were impacted, what type of data was left exposed and for how long and why it was left exposed. It also declined to say what platform the data was stored on and whether the data may have included any customer-related profile information culled from the company’s burgeoning artificial intelligence fueled marketing program.
TGI Fridays Australia said it had partnered with a dedicated Melbourne, Australia based cyber security firm to assess the exposed data and systems. “We have also notified the Office of the Australian Information Commissioner who are satisfied with this matter,” the company said in a statement.
Franchise loyalty programs have been an attractive target for hackers in the past. KFC Corporation warned in 2016, that 1.2 million of its UK-based Colonel’s Club members needed to reset their passwords after 30 members were targeted in an attack. Reward points were also believed to be behind a 2018 hack of a half-million online accounts, in particular targeting services that offer rewards points. In 2018, Dunkin’ Brands Inc. notified its DD Perks, Dunkin’ Donuts rewards program customers of a credential-stuffing attack targeting customer data.
In those cases it is believed the hacker obtained loyalty usernames and passwords as part of a wider effort to use credentials to break into other various online accounts via widespread automated login requests – A.K.A. credential stuffing.
Leaky or insecure data has also been the bane of many companies that inadvertently store sensitive data in the cloud. Often times it’s unclear if data has been stolen or manipulated by a malicious third party.
Last month, an unsecured database belonging to Honda Motor Company was found leaking crucial information about its global systems, including which devices aren’t up-to-date or protected by security solutions.
In June for instance, three publicly accessible cloud storage buckets from data-management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers – including internal business documents, system passwords and sensitive employee information.
In May, IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains.
And in April, hundreds of millions of Facebook records were found in two separate publicly exposed app datasets.