Slashdot Mirror
Pizza Hut Leaks Credit Card Info On 60,000 Customers (kentucky.com)
An anonymous reader quotes McClatchy:
Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them. According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed. The "temporary security intrusion" lasted for about 28 hours, the notice said, and it's believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information -- meaning account number, expiration date and CVV number -- were compromised... A call center operator told McClatchy that about 60,000 people across the U.S. were affected.
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.
"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.
"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."
According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture. They did get hacked, AND they are doing some things right.
It looks like they had some monitoring in place that caught it - good.
They are getting assistance from security professionals - good.
Those professionals don't work for the same internal IT department that had a deficiency in the first place - good.
The fact that they got hacked means there were several things wrong. They should have had multiple layers of security. Yet they are also doing some things right.
It's double illegal to store the CVV number.
When a site says "remember my credit card info for future purchases", they are still not allowed to store your credit card number. They are allowed to convert the credit card number into a token that allows transfer of money from your bank account to Pizza Hut's bank account, and to use that token when you order again. That kind of token is useless to any hacker except to create a bit of mischief, because it can only used to send money to Pizza Hut, and not to anyone else.