News

KFC UK hacked, alerts 1.2 million customers to change passwords

December 14, 2016

KFC in the United Kingdom has confirmed that its loyalty program there has been hacked, which involves about 1.2 million members. In an email to those individuals, the company said its monitoring systems show "a small number" of accounts "may ave been compromised as a result of our website being targeted."

KFC IT in the UK and Ireland Director Brad Scheiner released this statement about the hack that said, "We take the online security of our fans very seriously, so we’ve advised all Colonel’s Club members to change their passwords as a precaution, despite only a small number of accounts being directly affected. We don’t store credit card details as part of our Colonel’s Club rewards scheme, so no financial data was compromised."

KFC is not saying how hackers breached their system, or whether they've been able to establish that information. KFC's letter to members said it has “introduced additional security measures” though it has not provided details about what those measures are or whether they have information on what types of data the hackers were actually able to access. 

However, according to NuData Security Vice President of Business Development Robert Capps, the hackers in this case were seeking access to reward accounts that allow customers to collect Chicken Stamps and earn their way to free food rewards.

“This is precisely the type of hack that consumers may not take seriously due to the fact that it seems unlikely to impact users in any meaningful way," Capps told Judy Mottl, editor of QSRweb.com sister site, Retailcustomerexperience.com. 

"What’s important to remember, however, is that hackers are often after more data than your username and password and simply changing these may not protect you down the road. Poor password security on behalf of users, specifically reuse of passwords across multiple sites, can give hackers a toe-hold into other, unrelated accounts."

Capps said that's why it's critical that different "strong"  passwords are used on different sites, perhaps retained in a password management app. Nonetheless, Capps added that it is ultimately the merchant's responsibility to protect consumer data. 

"Merchants can also adopt passive biometric technologies that identify users instead of outdated single-point verification methods," he said. "User behavior can accurately identify users, even when correct credentials are offered. If more merchants would adopt such methods for all their account based programs, it wouldn’t matter if hackers got their hands on your credentials or other identifying information, they simply wouldn’t be able to get in the door because they don’t behave like the genuine user."