SevenRooms, a “guest experience and retention platform” for food establishments and hospitality organisations, has confirmed it has fallen victim to a third party vendor data breach. Mostly known for its customer management platform, Seven Rooms' breach came to light after stolen data was seen for sale on an underground forum.
SevenRooms confirmed to Bleeping Computer that the data, samples of which were posted on the forum on 15th December, is real. This data selection contained “thousands of files” containing data on SevenRooms customers.
The database, weighing in at 427GB, contained promo codes, payment reports, reservation lists and more, alongside folders named after well known restaurant chains.
When file transfer goes wrong
A “third party vendor file transfer interface” is the source of SevenRooms’ current woes. This tool or program was accessed without permission by the data thief, which means that certain documents sent to or from SevenRooms were pilfered.
What has been taken?
There isn’t a great amount of additional detail available in relation to this question so far. The point of note for most people will be data related to individuals. What SevenRooms has told Bleeping Computer is that “some” guest data was obtained, which could include names, emails, and phone numbers.
What was not taken includes bank account data, social security numbers, credit card details, or anything else along the lines of “highly sensitive information”.
Of course, depending on your circumstances, making names or phone numbers tied to email addresses public could still be a threat or concern. The only bright spot here is you don’t have to worry about cancelling your cards right before Christmas and the New Year.
No direct breach of SevenRooms
SevenRooms claims that nobody managed to directly breach their own systems; everything that went wrong was down to the transfer tool. With access to the tool disabled, the organisation investigated and found no evidence of its systems being accessed or otherwise tampered with.
There is no word of which businesses were impacted by this breach, and frustratingly little detail on who may have been affected individually, but we can expect outreach very soon along these lines.
No guest for the wicked: if you think you’ve been caught in the breach...
Until more information is released, it's tricky to give specific advice. All you can really do for now is be on your guard against phishing and social engineering.
Anything related to places you’ve stayed or eaten at, especially offers or discounts, should be treated with caution. You can always contact the business directly if you’re not sure that what you’ve been sent is genuine.
Direct phone calls may be suspicious, especially if you remember opting out of outbound contact and marketing or other promotions. As with email or any other form of contact, don’t feel bad about going directly to the source. You won’t miss out by taking a few moments to confirm that tempting offer you’re interested in is the real thing.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.