Pizza Hut Reveals Security Breach Affecting 60,000 Customers

On Saturday, October 14, Pizza Hut informed customers of a "temporary security intrusion" that affected users visiting the restaurant's website or mobile app during a 28-hour period lasting from October 1 to October 2. Guests using the website or mobile app to place an order may have had their information compromised. The hackers were able to access names, billing zip codes, delivery addresses, email addresses, and payment card information (account number, expiration date, CVV numbers).

Pizza Hut said it believes the breach affected less than 1 percent of the visits, or about 60,000 individuals across the United States and is offering anyone affected a year of free credit monitoring through Kroll Information Assurance. People have until January 11 to sign up.

The chain revealed the data breach, two weeks after the incident occurred. While this time frame for the industry is relatively quick, it was too late for multiple customers who complained on social media of having their bank accounts emptied by online criminals.

According to a statement from RiskIQ, a digital threat management firm, "there’s been a rash of recent incidents in which corporate websites have been hacked to steal sensitive customer data. Often, this is a result of servers running unpatched frameworks such as Apache Struts 2, or vulnerabilities related to compromised third-party components such as Javascript, which can be modified upstream and affect all the sites that use it. For instance, RiskIQ discovered keylogging malware that exploits Javascript of e-commerce software that integrates with websites all around the world. By logging consumer keystrokes, the threat actors behind it could steal the credit card data of online shoppers purchasing items from the affected sites.

"In both cases, the ruinous consequences stem from the affected organizations not knowing about the vulnerability that was exploited," RiskIQ continued. "Attackers performing reconnaissance will often look for these unknown, unprotected, and unmonitored assets to use as attack vectors. With GDPR taking effect, to avoid harsh penalties, organizations must be able to inventory and detail websites where PII is captured and processed. Not only that, but they must also be able to identify where PII is captured by third-parties using their company/brand as a lure (such as ads), verify security of the PII-collecting websites with SSL certificates, and comply with persistent cookie requirements on websites (expiration of less than one year).”