Pizza Hut has become the latest household name to suffer a payment card breach.
The company admitted the incident on Saturday in an email sent to affected customers, nearly two weeks after it discovered and remediated the issue. According to the email, shared on social media by some recipients, affected customers placed orders on the company's mobile app or website for about 28 hours between the morning of October 1 and midday on October 2.
The “temporary security intrusion” resulted in hackers accessing names, billing ZIP codes, delivery addresses, email addresses and payment card information (account numbers, expiration dates and CVV numbers). The company didn’t say how many customers were affected.
Some of the affected expressed anger that it took the franchise two weeks to let them know.
“@pizzahut great security there & thanks for the delay in notifying us after thieves already charged our accts. Keep up the excellent work,” tweeted one victim.
“Any company that captures and stores such critically sensitive customer information must mitigate the risk of leakage, otherwise they may run afoul of mass social media anger,” said Christopher Littlejohns, EMEA manager at Synopsys. “As we have seen, this can be commercially damaging. Legislative bodies worldwide are waking up and tackling this issue, a great example being the forthcoming GDPR regulations which oblige companies to ensure they are applying appropriate diligence at risk of receiving major fines if negligence is proven.”
At least one security researcher said that the backlash was somewhat unwarranted.
“The Pizza Hut card breach poses an interesting question about how quickly a company should come clean with its customers,” said Lee Munson, security researcher at Comparitech. “While a two-week period between breach and notification may sound like two weeks too many to affected customers, it is in fact a very quick response versus industry norms which often see no disclosure made at all.”
Meanwhile, Javvad Malik, security advocate at AlienVault, also praised the company for detecting the incident quickly: “Compared to many recent breaches pizza hut detected the breach relatively quickly and so limited the number of customer card details stolen. It goes to illustrate the importance and value of having good threat detection and response controls in place so as to limit exposure."