The LockBit ransomware group claims responsibility for an attack on the Subway sandwich sub, alleging it made off with a platter of data.
LockBit’s leaked blog post, published on January 21, suggests that one of its affiliates breached Subway’s database, stealing sensitive data on “all financial aspects” of the fast food franchise.
“The largest sandwich chain is acting as if nothing happened,” the criminals said, highlighting the silence of the company’s official channels.
The full details of the incident are currently a matter of speculation. The company did not respond to our requests for a new statement, but told all media outlets that it is currently investigating the legitimacy of the claims. No public disclosure had also been made at the time of writing.
“We exfiltrated their internal SUBS system which includes hundreds of gigabytes of data and all financial (aspects) of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnover, etc.,” says LockBit.
“We’re giving them some time to come and protect that data. If they don’t, we’re willing to sell to competitors.”
The last line here suggests that LockBit is giving Subway time to think about the demands it has almost certainly communicated to the company.
It is unclear whether ransomware was involved or whether the criminals’ allegations are solely related to data theft and extortion, as ransomware gangs have increasingly “turned” to this area in recent years .
A recent in-depth analysis of LockBit’s internal workings revealed an overhaul of how it works with victim incident response teams, in part due to its subsidiaries pandering to organizations and not getting the payment of expected ransoms.
From information meeting in 2023, LockBit has established clear guidelines on ransom demands and the generosity of discounts its affiliates are allowed to offer before leaving the table.
Subway is not a publicly traded company, so its results are reported less regularly than some of its fast-food competitors. LockBit calculates the ransom demand based on a percentage of the victim’s annual income, which in this case will be less precise than in other attacks.
Without official figures, LockBit will likely make its own estimates or base its calculations on open source figures, which vary wildly depending on the source. Either way, the claims will likely amount to tens of millions of dollars, given historical cases with large companies.
How the case played out remains unclear, but if Subway still takes its security as seriously as it did when developing its Android app, the company’s security enthusiasts might opt for a recovery and rebuild labor-intensive rather than paying a ransom. .
A teardown of its Android application in 2015 revealed The developers and security team behind this project applied security measures often reserved for high-end banking applications. ®