A couple of weeks ago I noticed a suspicious-looking email that purported to be from Mexican restaurant chain Taco Bill.
Speaking of spam, I am on Taco Bill's email list, but there's no way they would send me a receipt, and the link looks dodgy as hell. pic.twitter.com/ZQa4yXa0pc
— Daniel Bowen (@danielbowen) September 23, 2017
I’m on their loyalty database (“Club Taco“), so I suspected their systems had been compromised.
Today they’ve confirmed it.
I’ll post the full statement, interspersed with some notes from me.
Data Breach – Taco Bill database
Taco Bill respects your privacy and values your ongoing business and, for this reason, would like to let you know, as a precautionary measure, about a data security incident that may involve your personal information.
On Friday, 22 September 2017, the Taco Bill email database managed by our external service provider was hacked by an unknown person or persons. This database contains personal information that you have provided to us when requesting to subscribe to our mailing system. This may include full name, postal address, email, phone number, date of birth, and additional linked account members’ details, if applicable (including spouse and/or childrens’ names).
By default, Club Taco asks for name and date of birth (the latter to send special offers on your birthday). Optional details include your address and phone number/s. I think — I hope — I didn’t enter those.
At present, they seem to have disabled the Club Taco joining page. Probably just as well.
The hacker uploaded approximately 1.75 million further subscribers to our database and then sent out two emails to our valued customers on our database and to the further 1.75 million subscribers that were uploaded. These emails do not appear to contain any viruses, but we recommend deleting them.
Sure, the email itself appeared to be clean. However, it did include a link to docx file on a hacked web site, multimixconcrete.com.au — hopefully they’ve figured out that they too were compromised.
From a trusted source:
It's a virus.. I ran it against virustotal
— Phil Sweeney (@philsweeney) September 23, 2017
At the time of writing, the multimixconcrete.com.au web site has been suspended by its ISP. It appears it belongs to a company in Western Australia.
We have been informed by our external provider that no information was copied off our database, however this does not mean that information may not have been copied.
Hedging their bets there a bit.
Taco Bill is undertaking a thorough review of the potentially affected database and its computers. We have also taken steps to protect your privacy and make sure this does not happen again, including scans of our computers, as well as changing our external service provider to provide us with faster response times on security issues, extra security measures for protection of your data and around the clock monitoring and alerts. We will let you know if there are any significant developments.
We suggest that you remain vigilant and, as a precautionary measure, review account statements and monitor credit reports. We also suggest you retain a copy of this letter for your records in case of any future concerns.
If you think your identity may have been stolen please immediately contact the relevant financial institution or company with which the account is held. We also suggest you immediately report any suspicious activity or identify theft to the proper law enforcement agency (for example, the police).
Please do not hesitate to contact Taco Bill head office on email firstname.lastname@example.org if you have any queries or require any additional information or assistance in relation to the above
If you are not satisfied with our response in resolving this issue, you can make a complaint to the Office of the Australian Information Commissioner, whose contact details are located at www.oaic.gov.au .
We sincerely apologise for this incident occurring. Taco Bill values your privacy and ongoing support of our business.
I wonder precisely what happened, and just how insecure their database was?
It’s a reminder that even big companies can mess up their security, and one should be wary of how much information we give them.