Cyber Incident Victim: Five Guys Burgers and Fries

On May 23, 2018, a Five Guys employee fell victim to a phishing attack that compromised their email account. The breach remained undetected until August 6, 2018, when the company discovered unauthorized access to the account. An investigation confirmed the attacker gained entry through the phishing incident, which specifically targeted the employee's credentials. The compromised email inbox contained messages and attachments with sensitive employee information. Five Guys did not publicly disclose how the phishing attempt was executed or whether other accounts or systems were accessed during the intrusion period between May and August.

The investigation revealed the exposed data included employee names, dates of birth, Social Security numbers, addresses, hire dates, termination dates, and 401K contribution details. Five Guys notified affected employees and submitted a breach disclosure to the California Attorney General’s Office on November 2, 2018. The notification letter, signed by Chief Operating Officer Sam Chamberlain, did not specify the total number of impacted individuals. The company offered complimentary one-year memberships to Experian’s IdentityWorks credit monitoring service to those affected. No evidence suggested customer data was involved, as the breach exclusively compromised employee records stored within the targeted email account. Five Guys did not disclose whether additional security measures were implemented following the incident beyond the credit monitoring offering.