The payment card details of Pizza Hut’s customers were stolen by a hacker in a data breach, the company said in an email sent to affected customers.
According to the email, shared on social media by some recipients, affected customers placed orders on the company’s mobile app or website between the morning of October 1 and midday on October 2.
The “temporary security intrusion” lasted for around 28 hours, the email said, and the details leaked are believed to include names, billing post codes, delivery addresses, email addresses and payment card information — meaning account number, expiration date and CVV number — were compromised.
‘The security intrusion at issue impacted a small percentage of our customers and we estimate that less than 1% of the visits to our website over the course of the relevant week were affected,’ read the customer email sent only to those affected. ‘That said, we regret to say that we believe your information is among that impacted group.’
It is believed up to 60,000 customers in the US were affected.
Javvad Malik, security advocate at AlienVault, said “compared to many recent breaches pizza hut detected the breach relatively quickly and so limited the number of customer card details stolen. It goes to illustrate the importance and value of having good threat detection and response controls in place so as to limit exposure.”
However, are there any possible legal implications raised by Pizza Hut failing to alert their customers of the breach? Nicola Fulford, head of Data Protection and Privacy at Kemp Little believes there might be, with impending changing regulation, and offers advice to companies on managing data breaches and those directly affected by them, in order to avoid damaging consumer trust and the company’s reputation.
“The ICO suggests organisations should report personal data breaches that may cause “serious harm” to individuals affected by the breach – it is essential companies act quickly in making this assessment. Where financial data has been compromised, it raises serious concerns of identity theft, likely to cause emotional distress and financial damage to the individual. Under the current law, there is no obligation to notify, however when the General Data Protection Regulation applies from 25 May 2018, it will be mandatory for organisations to notify data breaches that risk harm to individuals. Failure to do so means companies could face significant fines, €10m or up to 2% of worldwide turnover.”
>See also: 7 key lessons from TalkTalk’s data breach
“How companies manage a breach should be a board level issue, if it is not already. Careful planning in advance of a data breach is key to limiting further data loss, mitigating the impact for individuals, minimising the associated media attention and maintaining customer trust. Ensuring call centre and customer support staff are geared up to respond with key facts and how customers can protect themselves and their data, goes some way to demonstrating the company has customers’ interests at the heart of the breach. Companies that fail to prepare a plan of action in the event of a data breach will find themselves without answers when the news breaks and a flood of questions from concerned customers is received. The chances then of a dive in customer confidence is high.”
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate