Pizza Hut informed customers via email on Saturday of a “temporary security intrusion” that affected users who visited the chain’s website or mobile application during an approximately 28-hour period from the morning of October 1 through midday on October 2. Those who placed an order may have had their information compromised, the Yum! Brands company said.
Pizza Hit believes the breach hit less than 1 percent of the visits, or about 60,000 individuals across the U.S. The brand is offering anyone affected by the issue a year of free credit monitoring through Kroll Information Assurance. People have until January 11 to register. Pizza Hut and its “external cybersecurity consultants” identified name, billing zip code, delivery address, email address, and payment card information (account number, expiration date, CVV numbers) as being compromised.
The chain said it is talking to cybersecurity experts outside of the company to look into the hack. Pizza Hut added that customers should be on the lookout for scams asking for personal information, since the chain doesn’t typically ask for that kind of data, including social security numbers.
Some customers took to social media to complain about the length it took Pizza Hut to alert them of the breach. Doug Terfehr, Pizza Hut's director of communications, told McClatchy in a statement that the company worked as fast as it could to notify customers, saying, "We value the trust our customers place in us and while we were able to address this incident quickly, we regret that this happened and apologize for any inconvenience this may have caused."
"While Pizza Hut is suggesting this breach wasn’t particularly serious in terms of the volume of customers affected, there are certainly some best practices that were not implemented around this breach," said Marco Cova, senior security researcher at Lastline, in a statement. "Waiting two weeks to inform the users affected means that the individuals were unable to block or change their cards, which in turn meant that the fraudulent data stolen facilitated further cybercrime in the form of credit card fraud, which is always the worry with data breaches. Companies should learn from this mistake, and should endeavor to tell the individuals what’s happening as soon as possible, and invest in the appropriate breach-detection services to stop cybercriminals before they access the data in the first place.”
This is, unfortunately, just the latest example of a quick-service chain facing down a security breach. In late September, information surfaced that potentially million of credit and debit cards used at Sonic Drive-In were at risk after an ongoing breach “may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores.”
In May, Chipotle announced a security issue hit “most” of its locations. Arby’s said in February that potentially more than 355,000 customers’ credit cards could have been compromised.
More than a thousand Wendy’s locations were impacted by a major card breach in July 2016, an issue that proved costly for card-issuing banks and credit unions, KrebsOnSecurity points out. Wendy’s needed months to fix the situation, partly because of the brand’s large corporate-owned structure.