Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pizza Hut Leaks Credit Card Info On 60,000 Customers (kentucky.com)

Posted by EditorDavid on from the outpizza-ing-the-hut dept.

An anonymous reader quotes McClatchy: Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them. According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed. The "temporary security intrusion" lasted for about 28 hours, the notice said, and it's believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information -- meaning account number, expiration date and CVV number -- were compromised... A call center operator told McClatchy that about 60,000 people across the U.S. were affected.
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.

"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."

5 of 76 comments (clear)

  1. Why do they keep all that information ... by Alain+Williams · · Score: 5, Insightful

    on some machine that it capable of being cracked ? Once they have sought payment from the credit card company - why do they keep the CVV number ? If, for some reason, they really need to (eg: easy next order), then keep all that sensitive information on some machine with a very narrow API (eg: charge customer 1234 $20 - tell me if this is approved). Many problem could be, at least partly, mitigated if they did not store everything in one big damn SQL database!

    1. Re:Why do they keep all that information ... by Anonymous Coward · · Score: 3, Insightful

      Lets clarify, as someone else tried for you. It is not illegal, or double illegal.

      Legally you can store CC numbers on fliers you put on everyone's door for advertisement. PCI is a set of rules that show you follow industry standard for protecting CC numbers (it isn't actually protecting them, its following a set of rules that may or may not protect them) IF you follow PCI rules and there are fraudulent transactions, you are not responsible. IF you do NOT follow PCI rules and there are fraudulent transactions you are responsible.

      That being said, I don't believe Target, Home Depot, Michaels, or anyone else has been held responsible despite NOT following PCI rules. So despite what is written down, what is enforced doesn't follow. It appears companies are not required to follow PCI and any fraud they help is still card holder's responsibility.

  2. 1%, Caught within 28 hours, calling in experts by raymorris · · Score: 5, Interesting

    According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture. They did get hacked, AND they are doing some things right.

    It looks like they had some monitoring in place that caught it - good.
    They are getting assistance from security professionals - good.
    Those professionals don't work for the same internal IT department that had a deficiency in the first place - good.

    The fact that they got hacked means there were several things wrong. They should have had multiple layers of security. Yet they are also doing some things right.

  3. Re:Cash by Anonymous Coward · · Score: 3, Insightful

    Cash doesn't come with zero liability like credit cards often do. If one's card is stolen or number compromised, they're just mailed a new card. Easy, no hassles. Sure, one occasionally hears horror stories, but that's why one should be somewhat selective with the credit card issuers they choose to do business with.

    As for accumulating debt, one can just pay the bill in full every month like many do. In which case, no debt to worry about. So one gets all the benefits of zero liability, plus rewards, extended warranty, plus convenience. Cash is easy to lose, easy to steal, easy to get wrong change, plus the slight chance of getting counterfeit bills too.

    Also, good luck trying to mail order anything with cash. Most places don't accept COD anymore. Sure one could mail a money order or check, but good luck with that. Pre-paid and debit cards are a work-around for mail order, but are no panacea; less ideal than paying with a credit card. For renting a car, the guest with a credit card will be well on their way while the cash customer is still waiting on paying the sizable deposit, which may be based, in part, on one's credit. A catch-22 there for one who doesn't use any credit cards.

    Bottom line, despite all the issues, cashless payments is the reality. Even more so for young people today who often avoid using cash even for the smallest purchases. Anyone working in retail observes this every day.

  4. Re:So what by ShanghaiBill · · Score: 4, Informative

    Do the banks go after Pizza Hut for their losses?

    No. They go after the merchants that accepted the fraudulent transactions. If you run an online business, and you accept "card not present" transactions, then you are SOL if the bank issues a chargeback. You can verify the address, or at least the zipcode, to cut down on fraud, or you can just eat the loss as a cost of doing business. Either way, there are no "losses" for the bank. That is why they have no incentive to fix the system. It is not their problem.