Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pizza Hut Leaks Credit Card Info On 60,000 Customers (kentucky.com)

Posted by EditorDavid on from the outpizza-ing-the-hut dept.

An anonymous reader quotes McClatchy: Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them. According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed. The "temporary security intrusion" lasted for about 28 hours, the notice said, and it's believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information -- meaning account number, expiration date and CVV number -- were compromised... A call center operator told McClatchy that about 60,000 people across the U.S. were affected.
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.

"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."

76 comments

  1. Cash by Anonymous Coward · · Score: 1, Insightful

    And folks, that's why cash is best.

    Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.

    Credit is just an evil. There's very little good about it - for consumers.

    Now, business credit is called "leverage" and that's a whole different issue.

    But for Joe Public, credit cards should just be outlawed. Just destroy them and their business. If it weren't for them, much of our economic dysfunction wouldn't exist. It just distorts everything....

    1. Re:Cash by Anonymous Coward · · Score: 3, Insightful

      Cash doesn't come with zero liability like credit cards often do. If one's card is stolen or number compromised, they're just mailed a new card. Easy, no hassles. Sure, one occasionally hears horror stories, but that's why one should be somewhat selective with the credit card issuers they choose to do business with.

      As for accumulating debt, one can just pay the bill in full every month like many do. In which case, no debt to worry about. So one gets all the benefits of zero liability, plus rewards, extended warranty, plus convenience. Cash is easy to lose, easy to steal, easy to get wrong change, plus the slight chance of getting counterfeit bills too.

      Also, good luck trying to mail order anything with cash. Most places don't accept COD anymore. Sure one could mail a money order or check, but good luck with that. Pre-paid and debit cards are a work-around for mail order, but are no panacea; less ideal than paying with a credit card. For renting a car, the guest with a credit card will be well on their way while the cash customer is still waiting on paying the sizable deposit, which may be based, in part, on one's credit. A catch-22 there for one who doesn't use any credit cards.

      Bottom line, despite all the issues, cashless payments is the reality. Even more so for young people today who often avoid using cash even for the smallest purchases. Anyone working in retail observes this every day.

    2. Re:Cash by Bryansix · · Score: 1

      I have a better solution. All transactions should be based on a challenge/response using encryption. No single transaction should expose the actual account number. The data that is sent in response should only work for a single transaction. Note that some credit card issuers use this technology already but it requires an application running on your computer or phone.

    3. Re:Cash by ShanghaiBill · · Score: 1

      That is a sensible idea, but there is a big problem: Those with the power to fix the system have no incentive to do so. The cost of fraud is pushed onto the merchants. The hassle of dealing with identity theft is dumped on the consumer. Mastercard and Visa have a vested interest in the current system, since any attempt at reform would quickly expose them as parasites that can be easily bypassed. The banks also have a vested interest in keeping the current system since a new system would likely be a "charge" system run by tech companies rather than a "credit" system run by banks.

      Don't expect the government to take the lead, since any attempt at reform will be demagogued as "big government" by the incumbents.

      America is too dysfunctional to fix the problem. Other countries have already come up with their own solutions. China's WeChat payment system is way superior to anything we have in the USA, or are likely to have in the next decade.
       

    4. Re:Cash by Jeremi · · Score: 1

      And folks, that's why cash is best.

      Cash has its own problems, as anyone who has been pickpocketed (or wound up holding a worthless counterfeit bill) will tell you.

      Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.

      They aren't entirely evil, since as you admit they can be really useful.

      The problem with credit cards is they are insecure; in particular they are vulnerable to replay attacks.

      Upgrade them to a proper cryptographic protocol and they can be just as secure as any other type of electronic payment system (e.g. Apple Pay or Android Pay), with no need to trust Pizza the Hut or anyone else to keep secrets for you. Why the credit card companies haven't done this already is a bit of a head-scratcher; the technology and the know-how is out there.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    5. Re:Cash by Anonymous Coward · · Score: 0

      I think you are describing the public key cryptography system known as "EMV" that has been in use in Europe for 25 years and is now nearly ubiquitous in the United States. It somehow works just fine with plastic smart cards and does not require phones or computers. I guess Pizza Hut is regretting not deploying it.

    6. Re:Cash by Anonymous Coward · · Score: 1

      To expand on the point slightly, the way EMV works (chip cards, chip and pin, etc.) is that there is a microprocessor embedded in the card with an embedded unreadable private key. When you insert your card into a payment terminal, it cryptographically signs the transaction presented by the terminal, returning the signed copy (the "EMV cryptogram"), which is forwarded to the bank and can be used only for that exact transaction that one time. If you have a PIN, the card requires the PIN along with the invoice from the terminal to perform the signature step. Because the only multi-use account information is the private key, which can only be used by the card but not read by the terminal, the cards are not clonable and information from the card or transaction cannot be used to complete any other transaction.

      The entire point of the system is to prevent breaches exactly like this one, and it does a very good job of it. Despite the cynicism in this thread, the US is well along towards completing deployment. Pizza Hut is one of only a few holdouts -- unsurprisingly, these kinds of breaches are somehow only happening in the few retail businesses that made a big point about how EMV was pointless and refused to update their equipment. As a result, after the 2015 liability shift, they are now 100% liable for all fraudulent transactions at their businesses, which I hope they are enjoying now.

    7. Re:Cash by Anonymous Coward · · Score: 0

      Credit can be good and evil, using your cards and paying the balance off at the end of the month can be good, it builds credit history, protects you from some frauds and liability and sometimes gets you points and other perks.

      In the end this is a good rule to remember. If the something you are buying is not going to make you money, do not take out a loan to get it.

      This is why loans in general might be better for business, since the loans are used to purchase assets that usually make the business money.

      As for personal loans...

      Your house (generally appreciates in value so this is usually a good loan)
      Your car (this is generally a means to an end of you making money so not a bad loan)
      A new PC (maybe if you are using it to make money or education. If you are making yourself a gaming rig, buy it outright)
      The latest 4K TV ( yeah not so much. Save up the cash for it and buy it outright.)

    8. Re: Cash by Anonymous Coward · · Score: 1

      Except this was a beach for online orders, which has nothing to do with EMV. This is why I try to use PayPal wherever it is accepted which, yes, has its own issues but at least there isn't anything that the merchant stores that screws me over when stolen.

    9. Re: Cash by dougdonovan · · Score: 1

      always pay cash when buying from fast food. they are not...into technology. they are into feeding you. a mortage, car payment or a utility bill is different. none of those come to your front door for payment.

    10. Re:Cash by Anonymous Coward · · Score: 0

      LOL... No, cash is not best. For all of this drama about compromised card numbers, the impact on me has been very minimal. Over the last 20 years, I'd say one of my cards has been compromised maybe a dozen times. In most situations I hardly notice. A new card shows up one day and says to start using it, or a CSR calls me to ask if I made a charge, I say no, and they say a new card will be sent out and I get it in 1 to 3 days. They generally tell me that my card is no longer valid, so I just switch to one of the others I keep in my wallet for the next couple days until I get my new card. Any valid charges I've already made go through fine. My future autopay payments (ie: utilities) also go through fine for the next payment.

      In total, I spend maybe 10-20 minutes every couple of years dealing with the "fallout" of my compromised account. That includes logging in to all my utilities and entering my new account number. That's not a very big time investment. Most of the cash-only people I know spend way more time than that stopping off at an ATM every week (if not multiple times per week) to get their cash. I pretty much never have to go out of my way to get cash. Maybe once a year I have to be at a bank for another purpose and just get a few hundred dollars while I'm there. Aside from that, I occasionally get cash from stuff I sell on craiglist, and from my kids birthday money (they get cash, I keep the cash then ACH that amount from my account to their account). That $300-400 or so lasts me the entire year.

      Never has any of these breaches ever cost me a single penny. On the other hand, using credit cards has made me plenty of money: well over $1000 every year in sign up bonuses and cash back on purchases. However, I am grateful for other people using cash....I've found several hundred dollars on the ground over the years (including one find of $125 in a parking lot once).

      Yes, I am aware that my bonuses and cashback don't come from nowhere. It's partially paid for my merchant fees on credit card purchases, but it's worth noting that running a cash business isn't without cost either. Increased cash flow often means increase of robberies, employee theft, and fees paid to security company's to transport your many thousands of dollars in cash to the bank safely. My bonuses are also partially funded by the interest and fees paid by people who carry a balance and incur late/over-limit fees. However, eliminate credit cards and those people still pay fees for bounced checks and overdrawn accounts. They still go into debt by doing a cash-out refinance of their house. They take their expensive goods to the pawn shop for cash and often later end up paying a large sum to get that item back or have to buy it new again at full price. They buy from rent-to-own places and end up paying ridiculous prices. Or in todays world, you can see what truly happens when you eliminate credit cards....those with poor credit who cannot get a credit card end up going to those paycheck advance places (thats the true evil where you should really be focusing your rage) and end up selling their future earning for a discount today, perpetuating an spiral of increasing debt.

      So no, eliminating credit cards will neither have much effect on retail prices nor prevent consumers from going into debt or paying a bunch of fees.

    11. Re:Cash by Rick+Schumann · · Score: 1

      Don't change anything, just keep doing the same thing over and over again forever and cross your fingers that nothing bad happens to YOU! CONVENIENCE is more important than keeping your accounts and identity secure!

      You're ridiculous and you don't even understand WHY you're ridiculous. Electronic payment systems are clearly and objectively INSECURE and UNRELIABLE now, there are security breaches practically EVERY GODDAMNED DAY, and you're recommending just ignoring that? Utter stupidity. GO BACK TO USING CASH until they get on the ball and fix the security problems!

    12. Re:Cash by eric_harris_76 · · Score: 1

      https://duckduckgo.com/?q=defi...

      --
      There's no time like the present. Well, the past used to be.
  2. Re: Nanny state by Anonymous Coward · · Score: 0

    But I need stuffed crust pizza you fuck. Are you gonna make it for me? Are you?!?

  3. So what by Anonymous Coward · · Score: 0

    Your loss is limited. And anyone eating at the Hut doesn't know what good pizza tastes like.

    1. Re:So what by AmiMoJo · · Score: 1

      Do the banks go after Pizza Hut for their losses?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:So what by ShanghaiBill · · Score: 4, Informative

      Do the banks go after Pizza Hut for their losses?

      No. They go after the merchants that accepted the fraudulent transactions. If you run an online business, and you accept "card not present" transactions, then you are SOL if the bank issues a chargeback. You can verify the address, or at least the zipcode, to cut down on fraud, or you can just eat the loss as a cost of doing business. Either way, there are no "losses" for the bank. That is why they have no incentive to fix the system. It is not their problem.

    3. Re:So what by Anonymous Coward · · Score: 0

      As usually Billy you are wrong. As long as the merchant follows proper protocol and they have not engaged in fraud themselves, they are not liable for fraudulent CNP transactions. Rather than the issuing bank, the hosting (merchant) bank is liable for reimbursement. Merchants rarely are liable for transaction fraud and it is a myth that charge backs come out of their pocket. Of course, there is an exception because of chip enabled cards, but this only applies for card present transactions.

  4. I think we can relax by Patent+Lover · · Score: 1

    I'm pretty sure the information that can be gleaned from a Pizza Hut customer is not exactly going to make a cyber criminal rich.

    1. Re:I think we can relax by Ritz_Just_Ritz · · Score: 2

      Cardiologists are probably lining up on the dark web to get their hands on that future customer list....

  5. Re: Nanny state by Anonymous Coward · · Score: 0

    No. You dont need it.

  6. Re: Nanny state by Anonymous Coward · · Score: 1

    I need it! Either you get me my stuffed crust or you get on your knees and Instuff your crust. Now what's it gonna be?!?

  7. The average American land whale doesn't need pizza by Anonymous Coward · · Score: 0

    If this causes them to stop shoveling pizza down their pie holes for a few days it's a good thing. Not to mention Pizza Hut "pizza"

  8. Re: Nanny state by Anonymous Coward · · Score: 1

    (gets on knees, opens mouth wide)

    Do what you must, stuff my crust.

  9. Re: Nanny state by Anonymous Coward · · Score: 1

    All their food tastes like shit now. They cheapened things up and tried to make them healthier. Give me that greasy food they used to make in the 90s.

  10. 60k? by Anonymous Coward · · Score: 2, Informative

    That number is very low for a nationwide chain. Thats the customers in like one town.

    As always, shrug and watch your statements. Your CC info is out there somewhere.

    1. Re:60k? by Anonymous Coward · · Score: 0

      I suspect that is the transactions that happened during the time of the exploit, not their entire customer database.

    2. Re:60k? by pnutjam · · Score: 1

      I didn't read the article, but I'm a bit heartened that at least this seems to indicate they aren't storing CC numbers forever, like so many companies.

      --
      Cheap storage VM.
    3. Re:60k? by Anonymous Coward · · Score: 0

      Not necessarily. I know their site has an option to store cc numbers for future orders, but even if you don't use that option that doesn't mean they are not storing it anyway. We don't know the details of the breach, so it's possible the hackers didn't get everything and plausible they only got transactions from a range of dates. Could have been a MITM attack for all we know.

    4. Re:60k? by orgelspieler · · Score: 1

      Funny, I read that and thought, "Pizza Hut still has 60,000 customers?" I don't even know where the nearest Pizza Hut is.

    5. Re:60k? by HiThere · · Score: 1

      The summary said that it was only the customers who ordered within one time period of less than a day that were leaked. If so it sounds as if only orders in transit were leaked.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  11. Why do they keep all that information ... by Alain+Williams · · Score: 5, Insightful

    on some machine that it capable of being cracked ? Once they have sought payment from the credit card company - why do they keep the CVV number ? If, for some reason, they really need to (eg: easy next order), then keep all that sensitive information on some machine with a very narrow API (eg: charge customer 1234 $20 - tell me if this is approved). Many problem could be, at least partly, mitigated if they did not store everything in one big damn SQL database!

    1. Re: Why do they keep all that information ... by Anonymous Coward · · Score: 1

      They have to keep all that info until closing.

      Transactions are approved at time of sale, but processing is the last thing they do before shutting down the registers.

      That's why it affected only one day of customers. Because that DB only has info during business hours and is purged as transactions are completed.

    2. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 0

      I thought CVV numbers were never supposed to be stored in a database, like, ever...?

      This should mean that Pizza Hut just lost its PCI certification, and can no longer take credit cards from anyone until it gets re-audited.

      I think that would actually be an appropriate penalty for this sort of thing: inflicting cost that's both related and proportional to the offense, and immediately focusing the C-suits' attention in the right place.

    3. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 0

      HA! Joke's on you! It's not a big damn SQL database. It's all in a file called detailedcustomerdata.txt. The reason it wasn't leaked before is that hackers just thought it was a big obvious honeypot.

    4. Re:Why do they keep all that information ... by Solandri · · Score: 2

      It's illegal to store credit card numbers without the card holder's authorization.

      That said, if you check the little box which says "remember my credit card info for future purchases," you've authorized them to store it. You've traded away security for a little convenience.

    5. Re:Why do they keep all that information ... by gnasher719 · · Score: 1, Interesting

      It's double illegal to store the CVV number.

      When a site says "remember my credit card info for future purchases", they are still not allowed to store your credit card number. They are allowed to convert the credit card number into a token that allows transfer of money from your bank account to Pizza Hut's bank account, and to use that token when you order again. That kind of token is useless to any hacker except to create a bit of mischief, because it can only used to send money to Pizza Hut, and not to anyone else.

    6. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 1

      It’s not illegal at all. The PCI council is not affiliated with any government and does not make laws.

      It’s double stupid, sure, but not illegal.

    7. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 3, Insightful

      Lets clarify, as someone else tried for you. It is not illegal, or double illegal.

      Legally you can store CC numbers on fliers you put on everyone's door for advertisement. PCI is a set of rules that show you follow industry standard for protecting CC numbers (it isn't actually protecting them, its following a set of rules that may or may not protect them) IF you follow PCI rules and there are fraudulent transactions, you are not responsible. IF you do NOT follow PCI rules and there are fraudulent transactions you are responsible.

      That being said, I don't believe Target, Home Depot, Michaels, or anyone else has been held responsible despite NOT following PCI rules. So despite what is written down, what is enforced doesn't follow. It appears companies are not required to follow PCI and any fraud they help is still card holder's responsibility.

    8. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 0

      This is how EMV (chip cards) works, except the sensitive information is unreadable never leaves unreadable memory on the card and the processing you describe is done in a processor on the card itself, with the result marked using an asymmetric-key cryptographic signature generated by the card's CPU. Pizza Hut was one of the (increasingly rare) US businesses that refused to upgrade their terminals and went on a big rant about how EMV was pointless since their systems were already so secure. I expect they will change their tune now.

    9. Re:Why do they keep all that information ... by Alain+Williams · · Score: 1

      Pizza Hut was one of the (increasingly rare) US businesses that refused to upgrade their terminals

      Does this mean that Pizza Hut may be sued by people as it failed to take reasonable, and readily available, measures to protect credit card information ?

    10. Re:Why do they keep all that information ... by AmiMoJo · · Score: 1

      They probably aren't permanently storing it, the hackers likely got in to the web back end that hands the CVV and other card details to their payment processor. Normally the CVV would be stored in memory for the duration of the transaction only.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 0

      Right, but we all know of at least one site or service that ignores this. And BTW, not being PCI certified doesn't mean you suddenly can't take CC payments anymore. It's just a badge that in theory gives your users or partner business more trust. Sure, some will chose to not do business with you if you lose it, but do Pizza Hut customers really know or care about PCI? Not many.

    12. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 0

      I think that requirement is just about as enforced as the restrictions on the use of Social Security numbers being only used for SS purposes (up until a few years ago). From what I understand very few companies process payments in real time. They tend to batch them on a daily basis, necessitating they be stored for at least a short time otherwise (presumably) they wouldn't get paid.

    13. Re:Why do they keep all that information ... by Rick+Schumann · · Score: 1

      Because everyone on the receiving end of your money doesn't give a rats ass about YOU being secure so long as they get your money. So far as they're concerned all these security breaches are YOUR problem and they can't be bothered. GO BACK TO USING CASH. Then it won't be a problem anymore.

  12. Pizza Hut problems by DogDude · · Score: 0, Insightful

    If you're eating at Pizza Hut, you've got bigger problems in your life than getting your credit card number stolen again.

    --
    I don't respond to AC's.
    1. Re:Pizza Hut problems by Anonymous Coward · · Score: 2, Insightful

      Tell you what then: Post your CC details here, and I'll go eat at Pizza Hut tonight. We can touch base again here week to see how we're both doing.

    2. Re:Pizza Hut problems by Anonymous Coward · · Score: 0

      i'm a transwoman gay black trump supporter and u must mean poopy gay bum farts that u get from when u eat the pizza..

  13. 1%, Caught within 28 hours, calling in experts by raymorris · · Score: 5, Interesting

    According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture. They did get hacked, AND they are doing some things right.

    It looks like they had some monitoring in place that caught it - good.
    They are getting assistance from security professionals - good.
    Those professionals don't work for the same internal IT department that had a deficiency in the first place - good.

    The fact that they got hacked means there were several things wrong. They should have had multiple layers of security. Yet they are also doing some things right.

    1. Re:1%, Caught within 28 hours, calling in experts by Anonymous Coward · · Score: 0

      They did get hacked, AND they are doing some things right.

      I agree. Unfortunately, one of the things they are not doing right is making pizza.

      Pizza hut pizza, at its very best, is mediocre. Usually not even that.

  14. Re: Nanny state by Anonymous Coward · · Score: 0

    Right? That's so BS, 2 weeks is great time. Equifux waited half a year then kept lying.

  15. Illegal to the T by Anonymous Coward · · Score: 0

    Oh they will get fined if anything at all and fines do not work when it comes to businesses, just a cost of doing business because it is cheaper than being up to code. The only successful deterrent would be to revoke the corporate charter then arrest the top execs and put them in prison along with the poor white and black "trash".

  16. Tips by Anonymous Coward · · Score: 0

    1- Never save credit card with a merchant.
    2- Never accept privacy statements for a false feeling of security since they can't be trusted anyway. Always assume everything will be leaked intentional or through gaping security holes.
    3- Do not create accounts on websites or with merchants. If needed, just go to another website to make that purchase as a guest.
    4- For any account, choose a different and safe password and add 2f authentication if available. This offers no guarantee in anyway but at least let's close the doors that can be closed.
    5- Limit or eliminate any subscriptions (Apple, Netflix, Microsoft, etc).
    6- Do not make your Facebook profile public, including your profile picture, or post anything public and make it easy for identity thieves. If possible, do not use Facebook (or Google+).
    7- Limit social account friends to the minimum. If posting something controversial and it's shared (maybe goes viral), these are not your friends.
    8- Do not answer phone calls from callerids not in the contacts list. Let go to voicemail.

    Aside from credit card payments, many people need to share their bank routing information for at least home rent and/or home utilities for monthly "pull" payments. Unfortunately, in the US most people are sitting financial ducks in one or more ways..

  17. Do not trust third parties with your credit card by davecb · · Score: 1

    In fact, treat them the same way SMERSH kept trying to treat James Bond. Death To Spies!

    --
    davecb@spamcop.net
  18. Re:Nanny state by Anonymous Coward · · Score: 0

    haha yup, those librul snowflakes amirite?? haha... not like us conservative REAL MEN haha?

  19. How many of those 60k weren't already... by Anonymous Coward · · Score: 0

    caught in the Equifax hack?

    And how much bigger was the Equifax hack than the PH one?

    Given that it took... 5 years for the Yahoo hack, and 3(?) years for the Equifax hack compromised customers information to be documented and released, I would say pizza hut did their due diligence far better than some of the 'industry leading professionals' have.

    Good job Pizza Hut. You may have fucked a bunch of your customers, but you did it with the tip, not the shaft, like your compatriots! :)

  20. you buy pizzas on credit? by Anonymous Coward · · Score: 0

    amazing

  21. Security Fatigue by Lije+Baley · · Score: 1

    The future is everyone giving up and buying cyber-loss insurance. My house doesn't have to be a fortress with me guarding it 24/7 to get homeowner's insurance. The same level of practicality and get-on-with-your-life thinking needs to come to all of this cyber-security business.

    --
    Strange things are afoot at the Circle-K.
  22. Data theft = fact of life by Kargan · · Score: 1

    Your personal and financial information has already been stolen, whether the company holding your data has admitted it or not (or more to the point, regardless of whether they even *know it* or not). And if it hasn't yet, it will be. Count on it.

    Your information is not stored safely, period. Just accept it, move on and conduct yourself accordingly. It's a fact of life these days.

    --
    Palaces, barricades, threats, meet promises
  23. The story is only developing. Wait for it... by jbn-o · · Score: 1

    According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture.

    I think we've seen enough stories of this kind to know that businesses lie about the extent of the loss of control of relevant systems and by default we should not believe them their first report. We've even seen these kinds of stories repeated on /. recently:

    • Equifax Increases Number of Britons Affected By Data Breach To 700,000—Equifax reported they lost control of around 400,000 Britons' information in a data breach then later it turns out the number increased to around 700,000.
    • Yahoo Triples Estimate of Breached Accounts To 3 Billion—Yahoo reported they lost control of around 1 billion user accounts then later it turns out they lost control of around 3 billion (basically all) Yahoo accounts and "compromised customer information included usernames, passwords, and in some cases telephone numbers and dates of birth" which strikes me as information imposters may find useful.
    • Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries—after an initial breach involving losing "access to credit card systems at 250 properties in 50 different countries", "Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017" which "impacted 41 properties across 11 countries".

    If you think this is the beginning and ending of this story, you have not been paying attention.

    What to do about it? Using cash is a short-term solution for a narrow problem but doesn't address the de-anonymization efforts underway for cash (unique IDs embedded in paper currency, for instance) and doesn't address whether we should trust Pizza Hut or Yum! Brands at all.

    If we think like legislatures apparently do regarding drug law, copyright law, and so on then the ugly patterns have formed and it's time get punitive (just as they apparently do at the behest of big businesses against the wishes of the citizenry). Tell big businesses that they stand to be disincorporated when they lose exclusive access to their systems or hire other businesses that lose said exclusive access because we value not being defrauded more than we value their lax business practices. We also need to remain vigilant over credit law and make sure that liability is always limited to some low value and always kept in place for the credit user. We should never stand for credit card processors of any kind making it easier to move the liability for fraud to the end user.

    --
    Digital Citizen
  24. If you're like me... by saltydogdesign · · Score: 1

    ... the first question this post raised was, "Pizza Hut has customers?"

    --
    // This is not a sig.
  25. Good response, bad systems by Xenographic · · Score: 2

    The response is good, but the funny thing is that I have long refused to let them store my CC number because the password policy they have is insane. I can't remember what it is right now, but I think they wouldn't let you use most symbols or spaces and had a really short maximum length.

    I figured that anyone who would force their customers to use laughably weak passwords had poor internal security. I'm glad to see their response is better than I would've expected, but the fact that they got cracked does not surprise me at all. Fortunately, all they have is my address.

    1. Re:Good response, bad systems by theCoder · · Score: 1

      Huh, they must have changed over time. About a decade ago, I ordered a pizza for carry out from their website and I had to create an account and I remember the password requirements were quite stringent. I don't remember the details, but it did impress on me that the requirements were much more than what was required to protect what amounted to my zip code. Maybe they got pushback from customers on how hard it was to come up with a password. Though having a short maximum length and not allowing symbols is bad practice in the other direction.

      --
      "Save the whales, feed the hungry, free the mallocs" -- author unknown
  26. They're not allowed to store the CVV by sremick · · Score: 1

    From Wikipedia:

    "As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.[6] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

    The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data.[7] "

    So, considering that, what happens now? Pizza Hut should have their merchant license revoked and no longer accept credit card payments.

    1. Re: They're not allowed to store the CVV by Anonymous Coward · · Score: 0

      What a waste of a low user ID. Seriously. Did you even read the summary? Somebody sniffed the traffic from website when someone ordered and extracted the CC info from there.

  27. I don't know what's worse by scourfish · · Score: 1

    Having your personal info stolen or others finding out that you ate at Pizza Hut. They both seem pretty terrible.

  28. Two Weeks? by Anonymous Coward · · Score: 0

    People are complaining about a two week delay? Experian waited MONTHS, involved FAR more people and exposed much more sensitive information before they finally came clean (and after their execs dumped some stock).

  29. Stop using plastic, start using cash again by Rick+Schumann · · Score: 1

    About 4 months ago I stopped using plastic for everything and started using cash as much as possible because of constant security breaches like this one. I'm recommending in the strongest words possible that everyone do the same, unless you really want to continually expose yourself to the threat of having your bank accounts drained and/or credit cards maxed out and/or identity stolen. The more you use plastic the more exposed you are and there's no getting around that anymore, and the situation is not going to improve until they find a way to prevent these incursions from happening in the first place. At this point in time the minimal risk of maybe getting mugged for $100 in your wallet is far less than getting your entire LIFE 'virtually mugged' by some cybercriminal organization that rapes all your accounts and rapes you for your identity, ruining your life completely.

  30. Domino's Pizza by Anonymous Coward · · Score: 0

    Makes one think of Domino's Pizza would be good to get a Domino's Pizza in North Walsham, Norfolk, Britain.

  31. Time to out the 3rd party company by Anonymous Coward · · Score: 0

    People forget that almost every single credit card transaction is done via a very small number of 3rd party processors.

    But do you see the name of the processing company anywhere in this reports?
    How much you want to bet that most of the breaches can be tracked back to a single processing company?