Data breach at TGI Fridays; millions of users’ data exposed

Without the necessary protection measures, data breaches can occur in any company, regardless of size or branch. Pentesting specialists reported on a cybersecurity incident at the Australian branch of the TGI Friday’s restaurant chain, exposing the information of thousands of its customers.  

All affected customers, mainly members of MyFriday, the chain rewards program, were notified of the incident this weekend. In addition, the company advised them to reset the password of their program accounts.

Apparently the incident occurred due to a missecurity configuration on one of the company’s servers. A TGI Fridays spokesperson claims that customer payment card information was not compromised during the incident, although it is not specified what personal data remained exposed, experts mention penetration testing experts.

The company notified the Australian Information Commissioner’s Office (OAIC) of the data breach, emphasizing that the incident was caused by a technical error, as well as ruling out the possible intrusion of a threat actor into the chain’s systems restaurants. Just a couple of days ago, OAIC had released up-to-date figures on cybersecurity incidents, reporting that 245 different cases of security breaches and data breaches occurred between April and June this year.

According to the pentesting experts who collaborated with OAIC in this quarterly report, the human factor prone to mistakes is a recurring element in much of this type of incident. However, security incidents intentionally caused by groups of threat actors prevail in these reports, as 6 out of 10 cybersecurity incidents are considered cyberattacks.

The new OAIC policy obliges companies operating with personal data in Australian territory to report any computer security incidents under a new scheme, known as Notifiable Data Breaches (NDB), implemented around a year ago.

Under this new scheme, private companies, government agencies and other organizations must report these incidents within 30 days after detection, especially if the incident is serious enough to compromise their cause major damage. Angelene Falk, Information Commissioner and Australian Data Privacy Office, says this new regime has been best adopted by companies operating in Australia, and “will help authorities and companies improve protocols response to such incidents.”

According to pentesting specialists from the International Institute of Cyber Security (IICS), they say that data breaches arising from human error remain all too common. Recently, millions of users of the Luscious adult website suffered exposure to some personal data due to misconfigurations in the website’s systems. Committed data include personal details such as usernames, email addresses, gender, site activity history, location data, and, in some cases, full user names.