Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pizza Hut Leaks Credit Card Info On 60,000 Customers (kentucky.com)

Posted by EditorDavid on from the outpizza-ing-the-hut dept.

An anonymous reader quotes McClatchy: Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them. According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed. The "temporary security intrusion" lasted for about 28 hours, the notice said, and it's believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information -- meaning account number, expiration date and CVV number -- were compromised... A call center operator told McClatchy that about 60,000 people across the U.S. were affected.
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.

"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."

42 of 76 comments (clear)

  1. Cash by Anonymous Coward · · Score: 1, Insightful

    And folks, that's why cash is best.

    Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.

    Credit is just an evil. There's very little good about it - for consumers.

    Now, business credit is called "leverage" and that's a whole different issue.

    But for Joe Public, credit cards should just be outlawed. Just destroy them and their business. If it weren't for them, much of our economic dysfunction wouldn't exist. It just distorts everything....

    1. Re:Cash by Anonymous Coward · · Score: 3, Insightful

      Cash doesn't come with zero liability like credit cards often do. If one's card is stolen or number compromised, they're just mailed a new card. Easy, no hassles. Sure, one occasionally hears horror stories, but that's why one should be somewhat selective with the credit card issuers they choose to do business with.

      As for accumulating debt, one can just pay the bill in full every month like many do. In which case, no debt to worry about. So one gets all the benefits of zero liability, plus rewards, extended warranty, plus convenience. Cash is easy to lose, easy to steal, easy to get wrong change, plus the slight chance of getting counterfeit bills too.

      Also, good luck trying to mail order anything with cash. Most places don't accept COD anymore. Sure one could mail a money order or check, but good luck with that. Pre-paid and debit cards are a work-around for mail order, but are no panacea; less ideal than paying with a credit card. For renting a car, the guest with a credit card will be well on their way while the cash customer is still waiting on paying the sizable deposit, which may be based, in part, on one's credit. A catch-22 there for one who doesn't use any credit cards.

      Bottom line, despite all the issues, cashless payments is the reality. Even more so for young people today who often avoid using cash even for the smallest purchases. Anyone working in retail observes this every day.

    2. Re:Cash by Bryansix · · Score: 1

      I have a better solution. All transactions should be based on a challenge/response using encryption. No single transaction should expose the actual account number. The data that is sent in response should only work for a single transaction. Note that some credit card issuers use this technology already but it requires an application running on your computer or phone.

    3. Re:Cash by ShanghaiBill · · Score: 1

      That is a sensible idea, but there is a big problem: Those with the power to fix the system have no incentive to do so. The cost of fraud is pushed onto the merchants. The hassle of dealing with identity theft is dumped on the consumer. Mastercard and Visa have a vested interest in the current system, since any attempt at reform would quickly expose them as parasites that can be easily bypassed. The banks also have a vested interest in keeping the current system since a new system would likely be a "charge" system run by tech companies rather than a "credit" system run by banks.

      Don't expect the government to take the lead, since any attempt at reform will be demagogued as "big government" by the incumbents.

      America is too dysfunctional to fix the problem. Other countries have already come up with their own solutions. China's WeChat payment system is way superior to anything we have in the USA, or are likely to have in the next decade.
       

    4. Re:Cash by Jeremi · · Score: 1

      And folks, that's why cash is best.

      Cash has its own problems, as anyone who has been pickpocketed (or wound up holding a worthless counterfeit bill) will tell you.

      Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.

      They aren't entirely evil, since as you admit they can be really useful.

      The problem with credit cards is they are insecure; in particular they are vulnerable to replay attacks.

      Upgrade them to a proper cryptographic protocol and they can be just as secure as any other type of electronic payment system (e.g. Apple Pay or Android Pay), with no need to trust Pizza the Hut or anyone else to keep secrets for you. Why the credit card companies haven't done this already is a bit of a head-scratcher; the technology and the know-how is out there.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    5. Re:Cash by Anonymous Coward · · Score: 1

      To expand on the point slightly, the way EMV works (chip cards, chip and pin, etc.) is that there is a microprocessor embedded in the card with an embedded unreadable private key. When you insert your card into a payment terminal, it cryptographically signs the transaction presented by the terminal, returning the signed copy (the "EMV cryptogram"), which is forwarded to the bank and can be used only for that exact transaction that one time. If you have a PIN, the card requires the PIN along with the invoice from the terminal to perform the signature step. Because the only multi-use account information is the private key, which can only be used by the card but not read by the terminal, the cards are not clonable and information from the card or transaction cannot be used to complete any other transaction.

      The entire point of the system is to prevent breaches exactly like this one, and it does a very good job of it. Despite the cynicism in this thread, the US is well along towards completing deployment. Pizza Hut is one of only a few holdouts -- unsurprisingly, these kinds of breaches are somehow only happening in the few retail businesses that made a big point about how EMV was pointless and refused to update their equipment. As a result, after the 2015 liability shift, they are now 100% liable for all fraudulent transactions at their businesses, which I hope they are enjoying now.

    6. Re: Cash by Anonymous Coward · · Score: 1

      Except this was a beach for online orders, which has nothing to do with EMV. This is why I try to use PayPal wherever it is accepted which, yes, has its own issues but at least there isn't anything that the merchant stores that screws me over when stolen.

    7. Re: Cash by dougdonovan · · Score: 1

      always pay cash when buying from fast food. they are not...into technology. they are into feeding you. a mortage, car payment or a utility bill is different. none of those come to your front door for payment.

    8. Re:Cash by Rick+Schumann · · Score: 1

      Don't change anything, just keep doing the same thing over and over again forever and cross your fingers that nothing bad happens to YOU! CONVENIENCE is more important than keeping your accounts and identity secure!

      You're ridiculous and you don't even understand WHY you're ridiculous. Electronic payment systems are clearly and objectively INSECURE and UNRELIABLE now, there are security breaches practically EVERY GODDAMNED DAY, and you're recommending just ignoring that? Utter stupidity. GO BACK TO USING CASH until they get on the ball and fix the security problems!

    9. Re:Cash by eric_harris_76 · · Score: 1

      https://duckduckgo.com/?q=defi...

      --
      There's no time like the present. Well, the past used to be.
  2. I think we can relax by Patent+Lover · · Score: 1

    I'm pretty sure the information that can be gleaned from a Pizza Hut customer is not exactly going to make a cyber criminal rich.

    1. Re:I think we can relax by Ritz_Just_Ritz · · Score: 2

      Cardiologists are probably lining up on the dark web to get their hands on that future customer list....

  3. Re: Nanny state by Anonymous Coward · · Score: 1

    I need it! Either you get me my stuffed crust or you get on your knees and Instuff your crust. Now what's it gonna be?!?

  4. Re: Nanny state by Anonymous Coward · · Score: 1

    (gets on knees, opens mouth wide)

    Do what you must, stuff my crust.

  5. Re: Nanny state by Anonymous Coward · · Score: 1

    All their food tastes like shit now. They cheapened things up and tried to make them healthier. Give me that greasy food they used to make in the 90s.

  6. 60k? by Anonymous Coward · · Score: 2, Informative

    That number is very low for a nationwide chain. Thats the customers in like one town.

    As always, shrug and watch your statements. Your CC info is out there somewhere.

    1. Re:60k? by pnutjam · · Score: 1

      I didn't read the article, but I'm a bit heartened that at least this seems to indicate they aren't storing CC numbers forever, like so many companies.

      --
      Cheap storage VM.
    2. Re:60k? by orgelspieler · · Score: 1

      Funny, I read that and thought, "Pizza Hut still has 60,000 customers?" I don't even know where the nearest Pizza Hut is.

    3. Re:60k? by HiThere · · Score: 1

      The summary said that it was only the customers who ordered within one time period of less than a day that were leaked. If so it sounds as if only orders in transit were leaked.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  7. Re:So what by AmiMoJo · · Score: 1

    Do the banks go after Pizza Hut for their losses?

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Why do they keep all that information ... by Alain+Williams · · Score: 5, Insightful

    on some machine that it capable of being cracked ? Once they have sought payment from the credit card company - why do they keep the CVV number ? If, for some reason, they really need to (eg: easy next order), then keep all that sensitive information on some machine with a very narrow API (eg: charge customer 1234 $20 - tell me if this is approved). Many problem could be, at least partly, mitigated if they did not store everything in one big damn SQL database!

    1. Re: Why do they keep all that information ... by Anonymous Coward · · Score: 1

      They have to keep all that info until closing.

      Transactions are approved at time of sale, but processing is the last thing they do before shutting down the registers.

      That's why it affected only one day of customers. Because that DB only has info during business hours and is purged as transactions are completed.

    2. Re:Why do they keep all that information ... by Solandri · · Score: 2

      It's illegal to store credit card numbers without the card holder's authorization.

      That said, if you check the little box which says "remember my credit card info for future purchases," you've authorized them to store it. You've traded away security for a little convenience.

    3. Re:Why do they keep all that information ... by gnasher719 · · Score: 1, Interesting

      It's double illegal to store the CVV number.

      When a site says "remember my credit card info for future purchases", they are still not allowed to store your credit card number. They are allowed to convert the credit card number into a token that allows transfer of money from your bank account to Pizza Hut's bank account, and to use that token when you order again. That kind of token is useless to any hacker except to create a bit of mischief, because it can only used to send money to Pizza Hut, and not to anyone else.

    4. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 1

      It’s not illegal at all. The PCI council is not affiliated with any government and does not make laws.

      It’s double stupid, sure, but not illegal.

    5. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 3, Insightful

      Lets clarify, as someone else tried for you. It is not illegal, or double illegal.

      Legally you can store CC numbers on fliers you put on everyone's door for advertisement. PCI is a set of rules that show you follow industry standard for protecting CC numbers (it isn't actually protecting them, its following a set of rules that may or may not protect them) IF you follow PCI rules and there are fraudulent transactions, you are not responsible. IF you do NOT follow PCI rules and there are fraudulent transactions you are responsible.

      That being said, I don't believe Target, Home Depot, Michaels, or anyone else has been held responsible despite NOT following PCI rules. So despite what is written down, what is enforced doesn't follow. It appears companies are not required to follow PCI and any fraud they help is still card holder's responsibility.

    6. Re:Why do they keep all that information ... by Alain+Williams · · Score: 1

      Pizza Hut was one of the (increasingly rare) US businesses that refused to upgrade their terminals

      Does this mean that Pizza Hut may be sued by people as it failed to take reasonable, and readily available, measures to protect credit card information ?

    7. Re:Why do they keep all that information ... by AmiMoJo · · Score: 1

      They probably aren't permanently storing it, the hackers likely got in to the web back end that hands the CVV and other card details to their payment processor. Normally the CVV would be stored in memory for the duration of the transaction only.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Why do they keep all that information ... by Rick+Schumann · · Score: 1

      Because everyone on the receiving end of your money doesn't give a rats ass about YOU being secure so long as they get your money. So far as they're concerned all these security breaches are YOUR problem and they can't be bothered. GO BACK TO USING CASH. Then it won't be a problem anymore.

  9. 1%, Caught within 28 hours, calling in experts by raymorris · · Score: 5, Interesting

    According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture. They did get hacked, AND they are doing some things right.

    It looks like they had some monitoring in place that caught it - good.
    They are getting assistance from security professionals - good.
    Those professionals don't work for the same internal IT department that had a deficiency in the first place - good.

    The fact that they got hacked means there were several things wrong. They should have had multiple layers of security. Yet they are also doing some things right.

  10. Re:Pizza Hut problems by Anonymous Coward · · Score: 2, Insightful

    Tell you what then: Post your CC details here, and I'll go eat at Pizza Hut tonight. We can touch base again here week to see how we're both doing.

  11. Do not trust third parties with your credit card by davecb · · Score: 1

    In fact, treat them the same way SMERSH kept trying to treat James Bond. Death To Spies!

    --
    davecb@spamcop.net
  12. Security Fatigue by Lije+Baley · · Score: 1

    The future is everyone giving up and buying cyber-loss insurance. My house doesn't have to be a fortress with me guarding it 24/7 to get homeowner's insurance. The same level of practicality and get-on-with-your-life thinking needs to come to all of this cyber-security business.

    --
    Strange things are afoot at the Circle-K.
  13. Data theft = fact of life by Kargan · · Score: 1

    Your personal and financial information has already been stolen, whether the company holding your data has admitted it or not (or more to the point, regardless of whether they even *know it* or not). And if it hasn't yet, it will be. Count on it.

    Your information is not stored safely, period. Just accept it, move on and conduct yourself accordingly. It's a fact of life these days.

    --
    Palaces, barricades, threats, meet promises
  14. Re:So what by ShanghaiBill · · Score: 4, Informative

    Do the banks go after Pizza Hut for their losses?

    No. They go after the merchants that accepted the fraudulent transactions. If you run an online business, and you accept "card not present" transactions, then you are SOL if the bank issues a chargeback. You can verify the address, or at least the zipcode, to cut down on fraud, or you can just eat the loss as a cost of doing business. Either way, there are no "losses" for the bank. That is why they have no incentive to fix the system. It is not their problem.

  15. The story is only developing. Wait for it... by jbn-o · · Score: 1

    According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture.

    I think we've seen enough stories of this kind to know that businesses lie about the extent of the loss of control of relevant systems and by default we should not believe them their first report. We've even seen these kinds of stories repeated on /. recently:

    • Equifax Increases Number of Britons Affected By Data Breach To 700,000—Equifax reported they lost control of around 400,000 Britons' information in a data breach then later it turns out the number increased to around 700,000.
    • Yahoo Triples Estimate of Breached Accounts To 3 Billion—Yahoo reported they lost control of around 1 billion user accounts then later it turns out they lost control of around 3 billion (basically all) Yahoo accounts and "compromised customer information included usernames, passwords, and in some cases telephone numbers and dates of birth" which strikes me as information imposters may find useful.
    • Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries—after an initial breach involving losing "access to credit card systems at 250 properties in 50 different countries", "Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017" which "impacted 41 properties across 11 countries".

    If you think this is the beginning and ending of this story, you have not been paying attention.

    What to do about it? Using cash is a short-term solution for a narrow problem but doesn't address the de-anonymization efforts underway for cash (unique IDs embedded in paper currency, for instance) and doesn't address whether we should trust Pizza Hut or Yum! Brands at all.

    If we think like legislatures apparently do regarding drug law, copyright law, and so on then the ugly patterns have formed and it's time get punitive (just as they apparently do at the behest of big businesses against the wishes of the citizenry). Tell big businesses that they stand to be disincorporated when they lose exclusive access to their systems or hire other businesses that lose said exclusive access because we value not being defrauded more than we value their lax business practices. We also need to remain vigilant over credit law and make sure that liability is always limited to some low value and always kept in place for the credit user. We should never stand for credit card processors of any kind making it easier to move the liability for fraud to the end user.

    --
    Digital Citizen
  16. If you're like me... by saltydogdesign · · Score: 1

    ... the first question this post raised was, "Pizza Hut has customers?"

    --
    // This is not a sig.
  17. Good response, bad systems by Xenographic · · Score: 2

    The response is good, but the funny thing is that I have long refused to let them store my CC number because the password policy they have is insane. I can't remember what it is right now, but I think they wouldn't let you use most symbols or spaces and had a really short maximum length.

    I figured that anyone who would force their customers to use laughably weak passwords had poor internal security. I'm glad to see their response is better than I would've expected, but the fact that they got cracked does not surprise me at all. Fortunately, all they have is my address.

    1. Re:Good response, bad systems by theCoder · · Score: 1

      Huh, they must have changed over time. About a decade ago, I ordered a pizza for carry out from their website and I had to create an account and I remember the password requirements were quite stringent. I don't remember the details, but it did impress on me that the requirements were much more than what was required to protect what amounted to my zip code. Maybe they got pushback from customers on how hard it was to come up with a password. Though having a short maximum length and not allowing symbols is bad practice in the other direction.

      --
      "Save the whales, feed the hungry, free the mallocs" -- author unknown
  18. They're not allowed to store the CVV by sremick · · Score: 1

    From Wikipedia:

    "As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.[6] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

    The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data.[7] "

    So, considering that, what happens now? Pizza Hut should have their merchant license revoked and no longer accept credit card payments.

  19. I don't know what's worse by scourfish · · Score: 1

    Having your personal info stolen or others finding out that you ate at Pizza Hut. They both seem pretty terrible.

  20. Stop using plastic, start using cash again by Rick+Schumann · · Score: 1

    About 4 months ago I stopped using plastic for everything and started using cash as much as possible because of constant security breaches like this one. I'm recommending in the strongest words possible that everyone do the same, unless you really want to continually expose yourself to the threat of having your bank accounts drained and/or credit cards maxed out and/or identity stolen. The more you use plastic the more exposed you are and there's no getting around that anymore, and the situation is not going to improve until they find a way to prevent these incursions from happening in the first place. At this point in time the minimal risk of maybe getting mugged for $100 in your wallet is far less than getting your entire LIFE 'virtually mugged' by some cybercriminal organization that rapes all your accounts and rapes you for your identity, ruining your life completely.