Chick-fil-A: 71,000 customers had financial information stolen during cyberattack

Fast food giant Chick-fil-A said more than 71,000 of its customers had their financial information stolen from their website during a breach lasting from December to February.

In documents filed with the attorney general offices of Maine, Montana and California, Chick-fil-A said it began an investigation after discovering “suspicious login activity” connected to an unknown number of Chick-fil-A One accounts.

“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application ... using account credentials (e.g., email addresses and passwords) obtained from a third-party source,” the company said. The attack began on December 18 and concluded February 12.

The information stolen includes names, credit/debit card numbers, email addresses and membership numbers. Some accounts also had identifying information like birthdays, phone numbers and addresses.

While the breach notification letter says the hackers could only see the last four digits of a card number, the landing page for the filing with Maine’s Attorney General office said the information stolen included “Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password or PIN for the account).”

The company did not respond to requests for comment about the discrepancy. 

Victims of the hack – which Chick-fil-A said affected 71,473 people – are not being offered identity theft protection services. 

But the company said it took a range of actions in response to the hack, including requiring password resets, removing stored credit or debit cards and freezing all funds that were loaded into Chick-fil-A One accounts.

The company said it “restored” the balance in all Chick-fil-A One accounts if funds were taking out, in some cases resulting in a de-facto “refund.”

“As an additional way to say thank you for being a loyal Chick-fil-A customer, we have added rewards to your account,” the company said. 

In January, Chick-fil-A warned customers about suspicious activity after dozens of people took to social media to report that their accounts had been accessed and used to make orders.

If mobile orders were placed fraudulently from someone’s account, the restaurant chain urged them to contact customer service, adding that their internal team would investigate and may follow up with more information.

On Twitter and Reddit, several customers reported that someone had hacked into their accounts and used the points they had accrued to make orders. Others said money was loaded into their Chick-fil-A One accounts from their bank accounts.

Others said hackers took over their accounts and changed the affiliated email address so as to avoid customers receiving notifications about withdrawals from their bank accounts.

Update: my account was somehow hacked. The person changed the email on the account and that’s why I didn’t get a notification from chick fil a themselves. They bought a mobile gift card. I found out when I went to delete my account. Won’t be supporting this restaurant anymore https://t.co/RuULdiNaiq

— LeXX (@aleXXa4life) January 2, 2023