Cyber Incident Victim: Nandos

In late October 2020, Nando’s customers reported unauthorized access to their online accounts, resulting in fraudulent food orders. Attackers exploited credential stuffing techniques, using previously breached email and password combinations from other platforms to hijack accounts where customers had reused credentials. The COVID-19 pandemic necessitated in-store QR code scanning and online ordering, creating an attack surface for these compromises. Multiple UK media reports documented cases where attackers placed large fraudulent orders, including one instance where a group unsuccessfully attempted several times before completing two unauthorized transactions. Customers faced direct financial losses, with some losing hundreds of pounds. Nando’s confirmed its systems were not breached but acknowledged individual account compromises through third-party credential reuse. The incident highlighted operational vulnerabilities in newly implemented digital ordering systems designed for pandemic safety.

Nando’s responded by committing to reimburse affected customers and enhancing fraud detection capabilities for account activity. Security firm Comparitech noted the broader trend of credential stuffing attacks targeting hospitality sector online platforms during the pandemic, with Akamai reporting 64 billion such attempts against retail, hospitality, and travel organizations between July 2018 and June 2020. Brian Higgins, a Comparitech security specialist, emphasized that attackers leveraged stolen credentials across multiple platforms when passwords were reused. The incident underscored the criticality of password hygiene, as compromised credentials from unrelated services enabled access to Nando’s accounts without requiring exploitation of the company’s internal systems. Financial impacts were limited to customer reimbursements, with no reported data breach of Nando’s infrastructure.