Chick-fil-A confirms data breach that impacts 70K+ accounts

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Chick-fil-A data breach overview: 

• Who: Chick-fil-A confirmed it suffered a data breach that exposed the personal and financial data of more than 71,000 of its customers. 
• Why: The data breach has been attributed to a monthslong credential stuffing attack against its website and mobile application from between Dec. 8, 2022, and Feb. 12, 2023.
• Where: The data breach affected Chick-fil-A One account holders nationwide.

Chick-fil-A has confirmed it suffered a data breach that exposed the personal and financial information of more than 71,000 of the fast food restaurant’s customers. 

The data breach, which the company began investigating in January after saying it discovered suspicious log-in activity for certain Chick-fil-A One accounts, has now been attributed to a credential stuffing attack, Bleeping Computer reports. 

In a data breach notice to its customers, Chick-fil-A said it “immediately took steps” to prevent any further unauthorized activity from occurring upon discovering it. 

The restaurant said its investigation ultimately determined that an automated attack had been launched against its website and mobile app from between Dec. 18, 2022, and Feb. 12, 2023. 

Hackers were able to breach the Chick-fil-A One accounts using account credentials such as email addresses and passwords that had been obtained by a third-party source, according to the company. 

Information exposed in Chick-fil-A data breach included names, payment information, other personal data

Chick-fil-A said information exposed in the data breach may have included names, email addresses, Chick-fil-A One membership numbers and mobile pay numbers, QR codes and masked credit or debit card numbers, among other things. 

“In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address,” the company wrote in its data breach notification notice to customers. 

Chick-fil-A did note that, in the event the unauthorized parties were able to access payment card information, they would have only been able to see the final four digits of the payment card numbers. 

Upon discovering the breach, the company said, it required customers to reset their account passwords and remove any debit or credit card payment methods, while it temporarily froze funds previously loaded into the accounts. 

The company said it also restored Chick-fil-A One account balances and added rewards to the accounts, as a way to “say thank you for being a loyal Chick-fil-A customer.”

“Chick-fil-A continues to enhance its security, monitoring, and fraud controls as appropriate to minimize the risk of any similar incident in the future,” the company said. 

In other data breach news, Equifax agreed last month to pay at least $380.5 million to resolve claims the credit bureau failed to protect the information of consumers during a 2017 data breach. 

Have you been affected by the Chick-fil-A data breach? Let us know in the comments. 

Read About More Class Action Lawsuits & Class Action Settlements:

• Chick-fil-A investigates ‘suspicious activity’ on some customer accounts
• Equifax data breach class action settlement
• U.S. Dept. of Labor fines food sanitation contractor $1.5M for child labor violations
• Workers paid daily rates are entitled to overtime