Cyber Incident Victim: Subway

On December 11, 2020, Subway UK customers began receiving fraudulent emails appearing to originate from 'Subcard,' a Subway loyalty program. These messages referenced a fabricated Subway order and contained links to malicious Excel documents disguised as order confirmations. Analysis revealed the documents deployed TrickBot malware, a sophisticated threat capable of stealing saved browser credentials, harvesting cookies, propagating across networks, and establishing footholds for ransomware operations like Ryuk or Conti. The emails incorporated recipients' first names and utilized email addresses some customers had created exclusively for Subway communications, raising immediate concerns about a potential breach of Subway's systems. Initial inquiries by BleepingComputer prompted Subway to acknowledge an unspecified "disruption" affecting its email infrastructure, advising customers to delete the suspicious emails as a precaution while investigations commenced.

Subway subsequently confirmed a server responsible for managing marketing email campaigns had been compromised, enabling attackers to distribute the phishing messages. The company stated the system did not store financial data such as bank or credit card details but confirmed unauthorized access to customers' first and last names. Subway initiated crisis protocols, isolating affected systems to prevent further exploitation, and began notifying impacted individuals about the exposure of their personal information. While asserting no evidence indicated compromise of guest accounts beyond the email campaign system, Subway apologized for the incident and emphasized protecting customer data as its priority. The company did not disclose the number of affected individuals or whether additional data resided on the breached server when queried by BleepingComputer. Customers who opened the malicious attachments were advised to check for active TrickBot processes and perform antivirus scans to mitigate potential infections.