Pizza Hut - Cyber Incident

pyramid on 20/09/2023 - 13:20
Last edited 20/09/2023 - 13:26 by 1 other user

We became aware in early September of a cyber security incident where an unauthorised third party accessed some of the company’s data. At this stage of our investigation, we have confirmed that the data impacted relates to customer record details and online order transactions held on our Pizza Hut Australia customer database. This includes information such as a customer’s name, delivery address and instructions, email address and contact number, as well as unusable masked credit card data and secure one-way encrypted password (for customers with online accounts).
From our investigation and the steps taken in response to the incident, we believe there is only a small proportion of customers on our database whose personal information has been impacted. We have notified these customers as well as the Office of the Australian Information Commissioner (OAIC) of the incident.

Food & Grocery Data Breach

Related Stores

Pizza Hut
Pizza Hut

Comments

  • Clear on 20/09/2023 - 13:36
    +8

    If they pull a Shopback and give everyone a freebie, like a pizza everyone will forgive and forget quickly.

    • monky on 20/09/2023 - 13:38
      +2

      Free (upgradable) value pizza (pickup only) (sorry about your info getting hacked lol)

    • CodeXD on 20/09/2023 - 13:44

      What freebie did Shopback give? ahaha

      • Clear on 20/09/2023 - 13:46

        $3 or something.

        • mrshorty on 20/09/2023 - 15:27
          +3

          $3 better than any other place that had a cyber incident (optus, medibank, etc)

          • Clear on 20/09/2023 - 15:33

            @mrshorty: If that's your price to forgive having all your personal information, passwords, bank account numbers and partial credit card numbers stolen.

            • mrshorty on 20/09/2023 - 15:41
              +2

              @Clear: Its not ideal but finding more and more places getting breached these days with some just giving an apology

              • Clear on 20/09/2023 - 15:43

                @mrshorty: 10 years ago there was no obligation to even disclose such breaches. You're only hearing about them now because they have to.

  • monky on 20/09/2023 - 13:37
    +1

    What does this mean for people like me who log in via apple ID with the email obfuscation/forwarding?

    • non-core promise on 20/09/2023 - 13:43
      +3

      Assuming you've never used that particular email alias for anything else, nothing.

      If you notice more spam coming in from that alias, you can delete it and regenerate a new one.

      Make sure you're not one of the idiots who still aren't using a password manager with uniquely generated passwords for every account in 2023.

      I'm assuming you're already doing this since you're also protecting your main email address with disposable email aliases.

      • monky on 20/09/2023 - 13:47

        KeePass, and my databases are kept off-cloud ;)

        Thanks for the info, I'll have a look for how to regenerate the aliases.

      • Ash Bowden on 23/09/2023 - 17:26

        what a stupid thing to say, what good is a password manager to store the 300 different passwords you'd have (1 for every different service and website) if that keepass isn't available on any computer you might be at when you need to login to those services, or even from your mobile when youre out and about and need to log in to 1 of them.

        • non-core promise on 23/09/2023 - 18:02

          Found an idiot.

          If you did a modicum of research, you would realise cloud sync and cross platform support are features on many password managers.

          You would also realise that KeePass is one of many password managers and is not the only option.

          If you have no idea what you're talking about, then don't bother talking.

          • Ash Bowden on 25/09/2023 - 18:31

            @non-core promise: good luck with your 300 passwords you dolt. The smart of us get by just fine with only 1. We're out there making money with our time while you're trying to remember passwords and access keepasses, ahahaha, what a mong

            • non-core promise on 26/09/2023 - 00:08

              @Ash Bowden: The entire point of a password manager is to remember one password and have randomly generated passwords for everything else so you can have security without having to memorise a large number of unique passwords.

              If you did ANY research at all on password managers, you'd know this.

              Looking forward to the day when you get caught in a data breach and have all your accounts compromised from using one password for everything.

              What a Luddite.

  • Protractor on 20/09/2023 - 13:41
    -6

    Pizza who?

    • Jake D on 20/09/2023 - 15:07

      Hut.

      It's right there.

      • Protractor on 20/09/2023 - 15:25
        -6

        Feel better?

  • 87percent on 20/09/2023 - 13:44

    You are receiving this email as you have made an online order with Pizza Hut Australia. This is not a marketing or promotional email from Pizza Hut Australia. Please read this important information carefully.

    Dear Customer,

    I am writing to you as a valued customer of Pizza Hut Australia to tell you about a cyber security incident that has impacted a small proportion of our customers.

    What happened?

    We became aware in early September of a cyber security incident where an unauthorised third party accessed some of the company’s data. At this stage of our investigation, we have confirmed that the data impacted relates to customer record details and online order transactions held on our Pizza Hut Australia customer database. This includes information such as a customer’s name, delivery address and instructions, email address and contact number, as well as unusable masked credit card data and secure one-way encrypted password (for customers with online accounts).

    From our investigation and the steps taken in response to the incident, we believe there is only a small proportion of customers on our database whose personal information has been impacted. We have notified these customers as well as the Office of the Australian Information Commissioner (OAIC) of the incident.

    Why are we telling you?

    Based on our investigation and the steps we have taken to remediate the incident, you are not one of the small number of customers whose personal information has been impacted.

    However, out of an abundance of caution we wanted to alert you to the incident, and take the opportunity to remind you of steps you can take to protect your information and avoid potential scams:

    • Remain alert to any suspicious emails and SMS or telephone communications that are disguised to look like they come from someone you know or trust. Pizza Hut only sends you emails from [email protected], [email protected] or [email protected].

    • Verify communications by confirming the identity of the sender. This includes checking email names and domains, by hovering your mouse over the sender’s email address.

    • Do not open links that look suspicious. If you are unsure about a link sent to you by a company, you should go to the company’s website and look for the product or service that was offered.

    • Be alert to phishing scams. This could include scams that target you through post, phone or email. Phishing scams are attempts by scammers to trick people into providing their personal information, including passwords, credit card numbers and/or sensitive personal information. Get further information about how to avoid scams at www.scamwatch.gov.au.

    • While this isn’t a necessity as our passwords are secured with one-way encryption, you may wish to consider updating your Pizza Hut Australia password.

    • Get further information about online safety, cyber security and helpful tips at www.cyber.gov.au.

    • Read our Privacy Policy on our website here: https://www.pizzahut.com.au/privacy to learn more about how we handle the personal information we collect about you and how to reach out about your privacy.

    Our investigation is continuing, and we will update you if any additional relevant information becomes available.

    Our thanks and apologies

    We value all our customers across Australia and all of us at Pizza Hut Australia thank you for your ongoing support. We understand the trust you place in us and I sincerely apologise for any concern that this incident may have caused.

    Yours sincerely,

    Phil Reed
    Chief Executive Officer
    Pizza Hut Australia

  • Neoika on 20/09/2023 - 13:47
    +2

    First mentioned here

  • non-core promise on 20/09/2023 - 13:52

    The main things to be concerned about are:

    • Name if you provide your real name to Pizza Hut,
    • Delivery address if you've ever ordered delivery or provided your address to Pizza Hut in some other way,
    • Email address if you gave them your primary email address and don't use a disposable email alias/obfuscation service,
    • Contact number, similar situation to email, expect more spam calls + texts,
    • "Unusable masked" credit card data,
    • "Secure one-way encrypted" passwords.

    Those last 2 are in quotes because you're essentially trusting Pizza Hut's IT team to be able to accurately tell whose data has or hasn't been accessed.

    You're also trusting them that the credit card data was masked correctly and cannot be reversed.

    Same goes for the password encryption.

    So a potential cyber criminal would be able to match your name with your address, email address and contact number. That can be pretty bad if you used your real name with your primary email address and primary mobile number.

    You can ask your financial institution for a new card with a new number if you're feeling cautious or just monitor existing cards for weird transactions if you're not.

    If you're one of the idiots who are still not using password managers for uniquely generated passwords for every account in 2023 and are still using the same password for everything, including Pizza Hut, you should change all your passwords now, starting with the most important first (primary email/s and financial institution logins).

    The "instructions" are just the text field where you can type a message to the pizza chefs if you like your pizza a particular way. I don't think most people use this. I bet most of the messages are just insults, jokes and other rude stuff.

    • mskeggs on 20/09/2023 - 15:31

      You can trust our encryption and credit card storage practices because of the professionalism of our security team (who has just been popped).

      What if my life insurers gather information on just how much pepperoni I am consuming?

    • Protractor on 20/09/2023 - 20:59

      "The main things to be concerned about are:"
      so basically everything

  • ECE on 20/09/2023 - 13:55
    +1

    We should organize a class action suit. I want more free pizzzaaa 🍕

  • Muzeeb on 20/09/2023 - 13:59
    +7

    Another one bites the crust.

    Someone's going to make some dough with all this info.

    After Latitude I didn't really knead this.

    Anyway, try and have a slice day.

    • Protractor on 20/09/2023 - 21:00

      I doubt anyone will be topping your post.
      It's big and it's cheesy

  • Steven135 on 20/09/2023 - 14:07
    +12

    I just got this email from the hackers.

    We have your dirty secret. Pay us $10,000AUD in Bitcoin or we will tell all your friends that you have pineapple 🍍 on your pizza.

    • Muzeeb on 20/09/2023 - 14:08
      +3

      Just pay it. Not worth the loss of dignity.

    • Clear on 20/09/2023 - 14:16
      +2

      Pineapple on pizza is the key to my heart. Or at least according to my wife.

    • c64 on 20/09/2023 - 18:21

      We have your dirty secret

      you order anchovies!! how could you?

  • EightImmortals on 20/09/2023 - 14:19
    +3

    All your salamis are belong to us!

  • Dollar General on 20/09/2023 - 14:36
    +5

    This is why I only purchase online with stolen credit card numbers

    • CyberMurning on 21/09/2023 - 12:46

      same.
      and i got it delivered to my stolen house, signed delivery proof by my stolen gf

  • WoodYouLikeSomeCash on 20/09/2023 - 15:08
    +1

    Not the first time Pizza Hut has been unable to keep personal information secure.

  • mrshorty on 20/09/2023 - 15:29

    If you wanted to check if your email has been part of a breach
    https://haveibeenpwned.com/

  • JakDac on 20/09/2023 - 15:42

    DEAL: Domino’s – $3.99 Large Pepperoni Pickup at Selected Stores (20 September 2023)

  • xuqi on 20/09/2023 - 15:45

    Hacker handle:

    4d65696a446f6e3833

  • penguincat on 20/09/2023 - 16:58

    The email address I use for Pizza Hut was pwned long ago MyHeritage + Myspace + Twitter + several world of Warcraft pirated servers. It's used for stuff that I don't overly trust. Add this to the dominos one (hi it's Wendy/Sarah are you near X?) and I guess they will know that I really like pizza. lol

  • CyberMurning on 21/09/2023 - 13:05

    come on Domino you can do it

  • Kramo on 21/09/2023 - 17:14

    What is the status of my information?

    From our investigation and the steps taken in response to the incident, we believe you are one of a small proportion of customers whose personal information has been impacted. >That said, it is important to note that there is no evidence that your personal information has been misused, and the data we hold cannot by itself by used to commit identity theft or fraud.

    I'd better be getting a free pizza out of this.

Login or Join to leave a comment
Login Join