KFC, Pizza Hut owner discloses data breach after ransomware attack

Yum! Brands, the brand owner of the KFC, Pizza Hut, and Taco Bell fast food chains, is now sending data breach notification letters to an undisclosed number of individuals whose personal information was stolen in a January 13 ransomware attack.

This comes after the company said that although some data was stolen from its network, it has no evidence that the attackers exfiltrated any customer information.

In the sent to affected people starting Thursday, Yum! Brands revealed that it has now found out the attackers stole some individuals’ personal information, including names, driver’s license numbers, and other ID card numbers.

“We are writing to provide you with information about a cybersecurity incident involving your personal information that occurred in mid-January 2023,” Yum! Brands said.

“Our review determined that the exposed files contained some of your personal information, including [Name or other personal identifier in combination with: Driver’s License Number or Non-Driver Identification Card Number].”

The company also added that the ongoing investigation had not found evidence that the stolen data had been used for identity theft or fraud.

Roughly 300 restaurants shut down in the U.K.

As a direct result of the January ransomware attack, Yum! Brands around 300 restaurants in the United Kingdom.

“On January 18, 2023, we announced a ransomware attack that impacted certain IT Systems which resulted in the closure of fewer than 300 restaurants in one market for one day, temporarily disrupted certain of our affected systems and resulted in data being taken from our network,” the company said in its filed with the U.S. Securities and Exchange Commission (SEC) on Friday.

“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter.”

In a January filing with the U.S. SEC, Yum! Brands also assured investors the ransomware attack would not cause any notable negative financial impact.

“While this incident caused temporary disruption, the company is aware of no other restaurant disruptions and does not expect this event to have a material adverse impact on its business, operations or financial results,” the firm’s reads.

Yum! Brands and its subsidiaries operate or franchise more than 55,000 restaurants across 155 countries and territories with the help of roughly worldwide.

No evidence of customer impact

A Yum! Brands spokesperson told BleepingComputer that the company found no evidence that customers were affected by this data breach.

“In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cybersecurity incident,” BleepingComputer was told.

“We are in the process of sending individual notifications and are offering complimentary monitoring and protection services. We have no indication that customer information was impacted.”

The company is yet to disclose the total number of employees who had their data stolen during the ransomware attack.

Update April 10, 15:50 EDT: Added Yum! Brands statement.