Skip links

Subway’s data torpedoed by LockBit, ransomware gang claims

The LockBit ransomware gang is claiming an attack on submarine sandwich slinger Subway, alleging it has made off with a platter of data.

LockBit’s post to its leak blog, published on January 21, suggests one of its affiliates breached Subway’s database, stealing sensitive data on “all financial aspects” of the fast food franchise.

“The biggest sandwich chain is pretending that nothing happened,” the criminals said, highlighting the silence from the company’s official channels.

Full details of the incident are just a matter of speculation at present. The company hasn’t responded to our orders for a fresh statement, but has told the wider media that it’s currently investigating the legitimacy of the claims. No public disclosures had been made at the time of writing either.

“We exfiltrated their SUBS internal system which includes hundreds of gigabytes of data and all financial [aspects] of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers etc,” LockBit alleges. 

“We are giving some time for them to come and protect this data, if no[t], we are open to sell to competitors.”

The last line here suggests LockBit is giving Subway some time to mull the demands that it has almost certainly communicated to the company.

It’s not clear whether ransomware was involved or if the criminals’ claims are solely related to data theft and extortion, as ransomware gangs have been increasingly “pivoting” to this in the last few years.

A recent deep dive into the inner workings of LockBit revealed a revamp in the way it works with victims’ incident response teams, in some part due to its affiliates bending to organizations and not securing the expected ransom payments.

From intel gathered in 2023, LockBit established clear guidelines on ransom demands and how generous a discount its affiliates are allowed to offer before walking away from the table.

Subway isn’t a publicly listed company and therefore its earnings figures are made public less regularly than some of its fast food competitors. LockBit calculates the ransom demand based on a percentage of a victim’s annual revenue, which in this case will be less specific than in other attacks.

Without official figures, LockBit will likely make its own estimates or base its calculations on open source figures, which vary wildly depending on the source. Regardless, the demands will likely be in the tens of millions of dollars, considering historical cases with large businesses.

How the case plays out remains unclear, but if Subway still takes its security as seriously as it did when developing its Android app, the die-hard security nerds at the company may opt for a labor-intensive recovery and rebuild rather than pay a ransom.

A teardown of its Android app in 2015 revealed the devs and security team behind it were applying security measures often only seen in high-end banking apps. ®