Burger chain Five Guys Enterprises LLC has disclosed a data breach that resulted in the theft of personally identifiable information of job applicants at the company.

The disclosure came via a form letter dated Dec. 29 filed with the Montana Department of Justice. The letter describes a security incident that involved unauthorized access to files on a file server on Sept. 17.

Five Guys said that upon discovering the unauthorized access, it immediately implemented its incident response plan, took steps to contain the hack and launched an investigation. Ticking the standard response list, the company also informed law enforcement and hired a forensic cybersecurity firm.

A subsequent investigation determined on Dec. 8 that the data accessed was in relation to its employment process. The form letter only states that the data stolen were applicants names before a field labeled “Variable Text 1.” Presumably, the field would be populated with further information relating to the affected job applicant.

In response to the data theft, Five Guys is offering free credit monitoring and identity protection services for one year, including a $1 million insurance reimbursement policy and fully managed identity theft recovery services. The form letter also discusses various risks involved with identity theft and adds “if your health insurance was involved,” indicating that the data stolen may have been extensive.

The incident is not the first time hackers have targeted the burger chain. In 2012, a court case disclosed that hackers had stolen account details of debit-card paying customers from the company.

No hacking group has taken public responsibility for the data theft as of the time of writing. The form of attack is also unknown, but there are some possibilities as to how the data was stolen, including a failure to secure cloud storage.

“It’s common for attackers to scan the public Internet for open and available file servers to obtain juicy or lucrative information,” Andrew Hay, chief operating officer at information security consulting firms Lares LLC, told SiliconANGLE. “If there are no access controls preventing the attacker from directly accessing the files, it’s as easy as eating grapes at the grocery store. If authentication is present, however, the attacker may have unlimited attempts to brute force the credentials needed to facilitate access.”

Casey Ellis, founder and chief technology officer at crowdsourced cybersecurity Bugcrowd Inc. ,commented that the attack “sounds a lot like the recruiting system where candidates upload their resumes and information got hacked.”

“Having these sorts of systems available to the internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it’s also more available to a potential attacker,” Ellis explained. “Common web coding flaws like Indirect Object References, authentication flaws and even injection flaws can enable this type of attacker outcome without the need for lateral movement.”

Photo: kjarrett/Flickr