Pizza Hut customers who were defrauded in the past two weeks by false credit card usage can thank the (popular?) pizza chain for the privilege. The company was hacked on October 1st and 2nd, but waited nearly two weeks to inform customers that their private data had been compromised. The company finally began notifying users on Saturday.
The breach appears to have been total, with hackers making off with names, billing zip codes, delivery addresses, credit card numbers, CVN numbers, and email addresses–everything you’d need, in other words, to help yourself to someone else’s data and personal information. Anyone who ordered a pizza via Pizza Hut’s mobile app on October 1 or October 2 was potentially affected.
As the Lexington Heraldreports, there were multiple incidents of customers seeing their bank accounts cleaned out or other catastrophic financial damage. Pizza Hut has told users that a “small percentage” of its customer base was affected, but a call center operative told the paper this still translated into roughly 60,000 people. We’ve talked before about how companies try to use misleading metrics in customer service messaging. OnePlus has defended its data gathering as a “routine practice” while simultaneously promising it took the need to tell customers what kind of data collecting it did seriously–but only after it got caught.
so @pizzahut sent an email today about a breach that occurred 2 weeks ago. their delay resulted in my bank acct being drained thx to fraud.
— ᴄᴏᴜʀᴛɴᴇʏ. (@runawaywithit) October 14, 2017
Pizza Hut is offering a year of free credit monitoring with Knoll Information Assurance, affected customers have up to January 11 to register for the service. It’s not currently clear how many Americans still need credit monitoring in the wake of the cataclysmic Equifax breach, and offering this kind of solution has become something of a sop for companies rather than a valid fix for anything. Pizza Hut’s Doug Terfehr told the Lexington Herald that it had notified customers as quickly as it could:
We take the privacy and security of our customers very seriously and invest in resources to protect the customer information in our care. We value the trust our customers place in us and while we were able to address this incident quickly, we regret that this happened and apologize for any inconvenience this may have caused.
There are valid reasons to delay announcing a hack; companies often want to make certain they’ve closed the loopholes that made the hack possible in the first place. But waiting this long also risks customer’s personal data, as directly evidenced by the tweets from Pizza Hut customers. There’s been a plethora of bad security news over the past few months, with the Equifax hack, events like this, and now, news that WPA2 has been catastrophically broken. Data security is more serious than ever, and yet the tools we use to provide it have never seemed less capable of the task.