KFC had to make a sobering announcement this week to members of its Colonel’s Club loyalty program. Hackers breached their systems and made off with personally identifiable information (PII) on its users.
By acting quickly, however, KFC is hoping to limit the impact. According to a report from the U.K.’s ITV, KFC only identified 30 accounts as being compromised so far.
The fact that such a small number of accounts were affected makes it seem as though someone is simply trying to re-use credentials from other password dumps. KFC has nevertheless sent out an email advising all 1.2 million users to change their passwords.
They’re also reminding anyone who — despite constant warnings from security experts — has re-used their email address and password combination on any other websites to changes those credentials as well… this time, hopefully, to something other than their new Colonel’s Club password.
KFC’s response may seem like it doesn’t go far enough. They didn’t force a password reset, after all, they only recommended that users change their passwords. They also prefaced that recommendation by saying that “it’s extremely unlikely that [individual users] have been impacted.”
That’s not exactly the kind of wording that conveys real urgency. As KFC notes, their database contains no payment information of any kind. They’re also implementing “additional safety measures to further safeguard […] members’ accounts,” which is welcome news — though they didn’t detail what those measures might be.
Still, with any hack that leaks PII including real names, dates of birth, and addresses there’s reason to be concerned. It’s precisely the kind of data that fraudsters use to perpetrate identity thefts, launch social engineering attacks against friends and colleagues, and reset victim’s passwords on other websites.