Fast food restaurant Chick-fil-A confirmed Thursday that someone successfully launched an “automated attack” against the company’s website and app over the course of more than two months, stealing customers’ sensitive information.
The disclosure came in a security notice filed on the California Attorney General’s website.
The attack, using log-ins obtained from a third party to access member reward site Chick-fil-A One, was carried out between Dec. 18, 2022 and Feb. 12, 2023, the chain said.
The stolen information “may have included your name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any).
“In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address,” Chick-fil-A said in the filing, adding, “Importantly, unauthorized parties would only have been able to view the last four digits of your payment card number.”
It’s not clear how many people were affected, but the company told Nexstar in a statement it was less than 2% of all Chick-fil-A users.
In early January, Chick-fil-A said they were investigating “suspicious activity” after customers started complaining.
“I just had 50 dollars stolen from me by someone in Atlanta, GA,” one person tweeted on Jan. 1. “I no longer have an active debit card and I’m supposed to go on vacation literally tomorrow.”
“Y’all, someone hacked my chick fil a app account & ordered hella food with all my points,” one person tweeted four days later. Several weeks later, the restaurant had restored all of the missing points, the person added.
In Thursday’s filing, Chick-fil-A also outlined its efforts to rectify the situation. The chicken purveyor said it has required some customers to reset their passwords, something it recommends all Chick-fil-A One members do. Other measures the company has taken include removing credit/debit card payment methods, temporarily freezing funds, restoring Chick-fil-A One account balances, adding customer rewards as a ‘thank you,’ and increasing security.
Chick-fil-A is urging customers to review their account statements and credit reports for any suspicious activity.
Concerned customers can refer to the filing for instructions on getting a free credit report, contacting the U.S. Federal Trade Commission, requesting a security freeze and placing a fraud alert on their credit files. There are also state-specific recommendations for residents of Oregon, North Carolina, New York, the District of Columbia, Iowa, Maryland and New Mexico.
“We regret that this incident occurred and apologize for any inconvenience it may cause you,” Chick-fil-A said in the filing.
Anyone with further questions can call (833) 753-4428 from Monday through Friday between 9 a.m. and 9 p.m. ET.