Pizza Hut Leaks Credit Card Info On 60,000 Customers (kentucky.com) 76
An anonymous reader quotes McClatchy:
Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them. According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed. The "temporary security intrusion" lasted for about 28 hours, the notice said, and it's believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information -- meaning account number, expiration date and CVV number -- were compromised... A call center operator told McClatchy that about 60,000 people across the U.S. were affected.
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.
"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.
"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."
Re: Nanny state (Score:1)
I need it! Either you get me my stuffed crust or you get on your knees and Instuff your crust. Now what's it gonna be?!?
Re: Nanny state (Score:1)
(gets on knees, opens mouth wide)
Do what you must, stuff my crust.
Re: (Score:1)
All their food tastes like shit now. They cheapened things up and tried to make them healthier. Give me that greasy food they used to make in the 90s.
Cash (Score:1, Insightful)
And folks, that's why cash is best.
Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.
Credit is just an evil. There's very little good about it - for consumers.
Now, business credit is called "leverage" and that's a whole different issue.
But for Joe Public, credit cards should just be outlawed. Just destroy them and their business. If it weren't for them, much of our economic dysfunction wouldn't exist. It just distorts everything....
Re: (Score:3, Insightful)
Cash doesn't come with zero liability like credit cards often do. If one's card is stolen or number compromised, they're just mailed a new card. Easy, no hassles. Sure, one occasionally hears horror stories, but that's why one should be somewhat selective with the credit card issuers they choose to do business with.
As for accumulating debt, one can just pay the bill in full every month like many do. In which case, no debt to worry about. So one gets all the benefits of zero liability, plus rewards, extended
Re: (Score:2)
Don't change anything, just keep doing the same thing over and over again forever and cross your fingers that nothing bad happens to YOU! CONVENIENCE is more important than keeping your accounts and identity secure!
You're ridiculous and you don't even understand WHY you're ridiculous. Electronic payment systems are clearly and objectively INSECURE and UNRELIABLE now, there are security breaches practically EVERY GODDAMNED DAY, and you're recommending just ignoring that? Utter stupidity. GO BACK TO USING CASH until they get on the ball and fix the security problems!
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
That is a sensible idea, but there is a big problem: Those with the power to fix the system have no incentive to do so. The cost of fraud is pushed onto the merchants. The hassle of dealing with identity theft is dumped on the consumer. Mastercard and Visa have a vested interest in the current system, since any attempt at reform would quickly expose them as parasites that can be easily bypassed. The banks also have a vested interest in keeping the current system since a new system would likely be a "ch
Re: (Score:1)
To expand on the point slightly, the way EMV works (chip cards, chip and pin, etc.) is that there is a microprocessor embedded in the card with an embedded unreadable private key. When you insert your card into a payment terminal, it cryptographically signs the transaction presented by the terminal, returning the signed copy (the "EMV cryptogram"), which is forwarded to the bank and can be used only for that exact transaction that one time. If you have a PIN, the card requires the PIN along with the invoice
Re: Cash (Score:1)
Except this was a beach for online orders, which has nothing to do with EMV. This is why I try to use PayPal wherever it is accepted which, yes, has its own issues but at least there isn't anything that the merchant stores that screws me over when stolen.
Re: Cash (Score:1)
Re: (Score:2)
And folks, that's why cash is best.
Cash has its own problems, as anyone who has been pickpocketed (or wound up holding a worthless counterfeit bill) will tell you.
Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.
They aren't entirely evil, since as you admit they can be really useful.
The problem with credit cards is they are insecure; in particular they are vulnerable to replay attacks.
Upgrade them to a proper cryptographic protocol and they can be just as secure as any other type of electronic payment system (e.g. Apple Pay or Android Pay), with no need to trust Pizza the Hut or anyone els
Re: (Score:2)
Do the banks go after Pizza Hut for their losses?
Re:So what (Score:5, Informative)
Do the banks go after Pizza Hut for their losses?
No. They go after the merchants that accepted the fraudulent transactions. If you run an online business, and you accept "card not present" transactions, then you are SOL if the bank issues a chargeback. You can verify the address, or at least the zipcode, to cut down on fraud, or you can just eat the loss as a cost of doing business. Either way, there are no "losses" for the bank. That is why they have no incentive to fix the system. It is not their problem.
I think we can relax (Score:2)
Re: (Score:3)
Cardiologists are probably lining up on the dark web to get their hands on that future customer list....
60k? (Score:2, Informative)
That number is very low for a nationwide chain. Thats the customers in like one town.
As always, shrug and watch your statements. Your CC info is out there somewhere.
Re: (Score:2)
Re: (Score:2)
The summary said that it was only the customers who ordered within one time period of less than a day that were leaked. If so it sounds as if only orders in transit were leaked.
Re: (Score:2)
Why do they keep all that information ... (Score:5, Insightful)
on some machine that it capable of being cracked ? Once they have sought payment from the credit card company - why do they keep the CVV number ? If, for some reason, they really need to (eg: easy next order), then keep all that sensitive information on some machine with a very narrow API (eg: charge customer 1234 $20 - tell me if this is approved). Many problem could be, at least partly, mitigated if they did not store everything in one big damn SQL database!
Re: Why do they keep all that information ... (Score:1)
They have to keep all that info until closing.
Transactions are approved at time of sale, but processing is the last thing they do before shutting down the registers.
That's why it affected only one day of customers. Because that DB only has info during business hours and is purged as transactions are completed.
Re: (Score:3)
That said, if you check the little box which says "remember my credit card info for future purchases," you've authorized them to store it. You've traded away security for a little convenience.
Re: (Score:1, Interesting)
When a site says "remember my credit card info for future purchases", they are still not allowed to store your credit card number. They are allowed to convert the credit card number into a token that allows transfer of money from your bank account to Pizza Hut's bank account, and to use that token when you order again. That kind of token is useless to any hacker except to create a bit of mischief, because it can only used to send money to Pizza Hut, and not to
Re: (Score:1)
It’s not illegal at all. The PCI council is not affiliated with any government and does not make laws.
It’s double stupid, sure, but not illegal.
Re: (Score:3, Insightful)
Lets clarify, as someone else tried for you. It is not illegal, or double illegal.
Legally you can store CC numbers on fliers you put on everyone's door for advertisement. PCI is a set of rules that show you follow industry standard for protecting CC numbers (it isn't actually protecting them, its following a set of rules that may or may not protect them) IF you follow PCI rules and there are fraudulent transactions, you are not responsible. IF you do NOT follow PCI rules and there are fraudulent transac
Re: (Score:2)
They probably aren't permanently storing it, the hackers likely got in to the web back end that hands the CVV and other card details to their payment processor. Normally the CVV would be stored in memory for the duration of the transaction only.
Re: (Score:2)
Pizza Hut was one of the (increasingly rare) US businesses that refused to upgrade their terminals
Does this mean that Pizza Hut may be sued by people as it failed to take reasonable, and readily available, measures to protect credit card information ?
Re: (Score:2)
Re: (Score:2, Insightful)
Tell you what then: Post your CC details here, and I'll go eat at Pizza Hut tonight. We can touch base again here week to see how we're both doing.
1%, Caught within 28 hours, calling in experts (Score:5, Interesting)
According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture. They did get hacked, AND they are doing some things right.
It looks like they had some monitoring in place that caught it - good.
They are getting assistance from security professionals - good.
Those professionals don't work for the same internal IT department that had a deficiency in the first place - good.
The fact that they got hacked means there were several things wrong. They should have had multiple layers of security. Yet they are also doing some things right.
The story is only developing. Wait for it... (Score:2)
I think we've seen enough stories of this kind to know that businesses lie about the extent of the loss of control of relevant systems and by default we should not believe them their first report. We've even seen these kinds of stories repeated on /. recently:
Good response, bad systems (Score:3)
The response is good, but the funny thing is that I have long refused to let them store my CC number because the password policy they have is insane. I can't remember what it is right now, but I think they wouldn't let you use most symbols or spaces and had a really short maximum length.
I figured that anyone who would force their customers to use laughably weak passwords had poor internal security. I'm glad to see their response is better than I would've expected, but the fact that they got cracked does n
Re: (Score:2)
Huh, they must have changed over time. About a decade ago, I ordered a pizza for carry out from their website and I had to create an account and I remember the password requirements were quite stringent. I don't remember the details, but it did impress on me that the requirements were much more than what was required to protect what amounted to my zip code. Maybe they got pushback from customers on how hard it was to come up with a password. Though having a short maximum length and not allowing symbols
Do not trust third parties with your credit card (Score:2)
Security Fatigue (Score:2)
The future is everyone giving up and buying cyber-loss insurance. My house doesn't have to be a fortress with me guarding it 24/7 to get homeowner's insurance. The same level of practicality and get-on-with-your-life thinking needs to come to all of this cyber-security business.
Data theft = fact of life (Score:2)
Your personal and financial information has already been stolen, whether the company holding your data has admitted it or not (or more to the point, regardless of whether they even *know it* or not). And if it hasn't yet, it will be. Count on it.
Your information is not stored safely, period. Just accept it, move on and conduct yourself accordingly. It's a fact of life these days.
If you're like me... (Score:2)
... the first question this post raised was, "Pizza Hut has customers?"
They're not allowed to store the CVV (Score:2)
From Wikipedia [wikipedia.org]:
"As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.[6] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment
I don't know what's worse (Score:2)
Stop using plastic, start using cash again (Score:2)