Despite acting quickly to handle the data breach, some customers were disgruntled by the two week notification delay.
Pizza Hut has been hit by a data breach that has resulted in the theft of card details, the customers involved have now been notified of the incident that took place between the first and second of October.
Affected customers have now been notified about the incident that occurred two weeks ago, leaving some irritated that they were not able to be proactive. These feelings were expressed by a number of Pizza Hut customers on Twitter.
In the sent to affected customers, Pizza Hut said: “We have learned that the information of some customers who visited our website or mobile application during an approximately 28-hour period (from the morning of October 1, 2017, through midday on October 2, 2017) and subsequently placed an order may have been compromised.”
This is not the first time Pizza Hut has been hit by a data breach that targeted card details, as a 2012 breach impacted a significant 240,000 customers.
“Pizza Hut identified the security intrusion quickly and took immediate action to halt it… The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected,” said the Pizza Hut notification email.
Mitigating the risk of leakage
Christopher Littlejohns, EMEA manager at Synopsys said: “Although this leakage was constrained to a relatively short period, the value of the credit card information to the criminals is of course very high. Any company that captures and stores such critically sensitive customer information must mitigate the risk of leakage, otherwise they may run foul of mass social media anger. As we have seen, this can be commercially damaging. Legislative bodies worldwide are waking up and tackling this issue, a great example being the forthcoming GDPR regulations which oblige companies to ensure they are applying appropriate diligence at risk of receiving major fines if negligence is proven.”
Illustrating the value of good threat detection
Javvad Malik, security advocate at AlienVault, said: “Compared to many recent breaches pizza hut detected the breach relatively quickly and so limited the number of customer card details stolen. It goes to illustrate the importance and value of having good threat detection and response controls in place so as to limit exposure.”
How quickly should you come clean with customers?
Lee Munson, Security Researcher at Comparitech, said: “The Pizza hut card breach poses an interesting question about how quickly a company should come clean with its customers. While a two-week period between breach and notification may sound like two weeks too many to affected customers, it is in fact a very quick response versus industry norms which often see no disclosure made at all.
Now that customers have been informed of when the breach took place, they can be proactive around checking their bank and credit card accounts for suspicious activity. Given the size of Pizza Hut, and its need to maintain its reputation, any victims of payment card fraud should consider contacting the company to see if any assistance is forthcoming, in the form of credit monitoring, or any other help the business may consider offering.”
GDPR: 25th May 2018
Andrew Clarke, EMEA Director at One Identity, said: “As we move closer to the official commencement date, 25 May 2018, of the General Data Protection Regulation (GDPR), organisations are going to have to up their game to ensure that they are prepared for their responsibilities under the act. The biggest change to the regulatory landscape of data privacy comes from the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the European Union, no matter where the company is located. This would possibly have direct impact on Pizza Hut in this case.
Breach management is a board level issue
Nicola Fulford, Head of Data Protection & Privacy at Kemp Little, said: “The ICO suggests organisations should report personal data breaches that may cause “serious harm” to individuals affected by the breach – it is essential companies act quickly in making this assessment. Where financial data has been compromised, it raises serious concerns of identity theft, likely to cause emotional distress and financial damage to the individual.”
As it stands organisations are not obligated to notify in the event of a breach, but the arrival of GDPR will make it mandatory, and it will also have to be done quickly after they become aware of it.
“How companies manage a breach should be a board level issue, if it is not already. Careful planning in advance of a data breach is key to limiting further data loss, mitigating the impact for individuals, minimising the associated media attention and maintaining customer trust,” said Fulford.