Cybersecurity

Five Guys discloses hack of 2 employees’ emails

Five Guys disclosed a security breach where hackers gained access to the email accounts of two employees, according to consumer disclosure letters filed Friday with the attorneys general of California and Maine. 

The breaches, discovered on June 7, were the result of business email compromise, Sam Chamberlain, COO of Five Guys, said in the filing with the Office of the Maine Attorney General. The Lorton, Va.-based hamburger chain, which has about 1,700 locations worldwide, did not indicate how many total individuals were impacted, but only three Maine residents were affected. 

The breach disclosure comes just weeks after Five Guys agreed to settle a federal class action lawsuit involving a September 2022 incident. In that breach, files linked to the company employment process were impacted, affecting more 37,000 individuals, according to records filed in Maine.

BlackCat/AlphV in February claimed credit for attacking Five Guys, according to a February post on X, by security researcher Dominic Alvieri.

Social Security numbers of three Maine residents were accessed as part of the incident, according to the Maine filing.

In the most recent incident, one employee account was accessed between March 20 and March 31, while the second email account was accessed between May 31 and June 7, according to breach notifications. 

Both accounts had multifactor authentication enabled and Five Guys immediately enacted its incident response plans, took steps to secure the accounts and retained an outside cybersecurity firm with experience handling similar incidents. 

Chamberlain apologized in the letter and said the company had taken additional measures to prevent a similar incident.

A spokesperson for Five Guys was not immediately available. An attorney for BakerHostetler, listed as outside counsel for Five Guys, was not immediately available.