A data breach against fast food chain Five Guys resulted in the unauthorized access of files containing information submitted to the company in connection with its employment process, according to consumer notification letters dated Dec. 29 and published by state attorneys general in New Hampshire and Montana.
Per the letters, Five Guys first identified the breach in September 2022. The company said it investigated the incident and, on Dec. 8, determined that the breach impacted files on the company’s file server.
The type of information compromised in the breach may vary by individual. The letter to New Hampshire Attorney General John Formella — in which employer-side law firm BakerHostetler identified Five Guys as its client — said the impacted files contained the names and Social Security numbers of 22 New Hampshire residents.
A Dec. 30 notice posted online by Wisconsin-based plaintiff-side firm Turke & Strauss said that in addition to names and Social Security numbers, the breach also may have impacted driver’s license numbers.
At press time, Five Guys did not respond to an HR Dive request for comment.
In the consumer notification letters, the company said it had notified law enforcement about the incident and that it would arrange for impacted consumers to receive no-cost credit monitoring and identity theft protection services. The deadline to enroll in these protections is March 29, 2023.
HR departments may be a valuable target for cybercrime. The industry saw this first-hand in the aftermath of the December 2021 data breach against payroll and timekeeping vendor UKG, which left some organizations without access to the company’s solutions for several weeks.
Employers can take a proactive approach to protecting HR data by working with other business units responsible for addressing cybersecurity on topics such as information access, data retention and device security, according to sources who previously spoke to HR Dive.