Data breach at TGI Fridays; millions of users’ data exposed

Without the necessary protection measures, data breaches can occur in any company, regardless of size or branch. Pentesting specialists reported on a cybersecurity incident at the Australian branch of the TGI Friday’s restaurant chain, exposing the information of thousands of its customers.  

All affected customers, mainly members of
MyFriday, the chain rewards program, were notified of the incident this
weekend. In addition, the company advised them to reset the password of their
program accounts.

Apparently the incident occurred due to a
missecurity configuration on one of the company’s servers. A TGI Fridays
spokesperson claims that customer payment card information was not compromised
during the incident, although it is not specified what personal data remained
exposed, experts mention penetration testing experts.

The company notified the Australian Information Commissioner’s Office (OAIC) of the data breach, emphasizing that the incident was caused by a technical error, as well as ruling out the possible intrusion of a threat actor into the chain’s systems restaurants. Just a couple of days ago, OAIC had released up-to-date figures on cybersecurity incidents, reporting that 245 different cases of security breaches and data breaches occurred between April and June this year.

According to the pentesting experts who
collaborated with OAIC in this quarterly report, the human factor prone to
mistakes is a recurring element in much of this type of incident. However,
security incidents intentionally caused by groups of threat actors prevail in
these reports, as 6 out of 10 cybersecurity incidents are considered

The new OAIC policy obliges companies operating
with personal data in Australian
territory to report any computer security incidents under a new scheme, known as
Notifiable Data Breaches (NDB), implemented around a year ago.

Under this new scheme, private companies,
government agencies and other organizations must report these incidents within
30 days after detection, especially if the incident is serious enough to
compromise their cause major damage. Angelene Falk, Information Commissioner
and Australian Data Privacy Office, says this new regime has been best adopted
by companies operating in Australia, and “will help authorities and
companies improve protocols response to such incidents.”

According to pentesting specialists from the
International Institute of Cyber Security (IICS), they say that data breaches
arising from human error remain all too common. Recently, millions of users of
the Luscious adult website suffered exposure to some personal data due to
misconfigurations in the website’s systems. Committed data include personal
details such as usernames, email addresses, gender, site activity history,
location data, and, in some cases, full user names.

To Top

Pin It on Pinterest

Share This