The Pizza Hut restaurant chain is warning customers that hackers might have accessed the company’s data in what they classify as a “temporary security intrusion.”
The data breach lasted for 28 hours and was carried out from the morning of October 1 to mid-day October 2.
However, officials at the company did not inform customers until two weeks after the intrusion when they emailed a select group of customers informing them that hackers might have compromised their personal information in an early October hacking.
Through their email, which was also shared on social media channels by some victims, the company admitted that hackers infiltrated their website and mobile application.
Any customer who placed an order during the 28-hour attack period had their details compromised.
Some of the details stolen from the orders were customer names, email addresses, delivery addresses, billing zip codes and payment card details including account numbers, Card Verification Value (CVC) numbers and card expiration dates.
In the email, the company said the third-party security intrusion incident affected a small percentage of customers, mainly in the U.S.
The company’s course of action and delay in notifying customers of the hacking is similar to that of Equifax in their recent cyber attack.
The Equifax hack left over 145 million people vulnerable to identity theft, but Equifax officials only notified them three months after the breach.
As was the case with Equifax, many Pizza Hut customers have also expressed their disappointment with the company on social media.
Unleashing their frustrations on Facebook and Twitter, several victims complained that their bank accounts had been drained following the hacking attack.
Terming it as incompetence, other customers were furious, saying they could have been more proactive had officials sent the security breach notification earlier.
The company is currently facing unwavering criticism as to why they did not inform users earlier, allowing a two-week time window for hackers to use their information.
Addressing the issue, a company spokesperson said that they took action to counter the hacking immediately it was detected.
He said that the security intrusion affected an estimated less than one percent of customers who visited the website that week, which is approximately 60,000 people.
Despite the delay in alerting customers, the company’s security team was confident that it resolved the intrusion on time—before hackers compromised information from a larger group.
They also added that the standard time for releasing details about similar attacks has always been 30+ days, with some companies extending up to eight months before notifying their customers.
In an advisory statement, the company said it would offer one-year of free credit monitoring service to all victims of the data breach.
The company has partnered with Kroll Information Assurance LLC for credit monitoring as part of their remediation strategy.
However, this seems to fall short of assuaging most customers who were in distress following the two-week notification delay.
While regretting and apologizing for the inconveniences caused by the hacking, the company tweeted to concerned customers and potential victims that the security of customer information remains their priority.
They also promised to invest more resources on their security infrastructure to avoid such unfortunate intrusions in future.
A Pizza Hut spokesperson urged all customers who received an email from the company to act accordingly.
The email redirects users to the Kroll credit monitoring agency, where upon opting-in, the service requests users for their names, social security numbers and other personal information.
He also added that the email is legitimate and that the company is not interested in exploiting anyone’s social security number, but for protection from identity fraud through the credit monitoring agency.
Pizza Hut is now among the growing number of restaurants that have experienced massive cyber attacks this year.
Previously, Arby’s, Chipotle Mexican Grill, Sonic and Shoney’s have also reported data breaches.
As hackers continue targeting the online community for possible identity fraud, experts recommend you take the following precautions if you fall victim to any security breach.
- Monitor your bank and credit card statements for unusual transactions. In case there is a transaction you didn’t make, seek assistance from the respective bank.
- Consider requesting your banking service provider to freeze your account, credit or debit card temporarily. This will prevent a third-party from hacking into your account and completing a transaction without your knowledge.
- Consider working with companies that offer credit monitoring services. They will inform you in case of suspicious activities related to your card—for example when a hacker opens an account using your name.