Become a fan of Slashdot on Facebook


Forgot your password?
Crime Security Businesses United States

Pizza Hut Leaks Credit Card Info On 60,000 Customers ( 76

An anonymous reader quotes McClatchy: Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them. According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed. The "temporary security intrusion" lasted for about 28 hours, the notice said, and it's believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information -- meaning account number, expiration date and CVV number -- were compromised... A call center operator told McClatchy that about 60,000 people across the U.S. were affected.
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.

"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."
This discussion has been archived. No new comments can be posted.

Pizza Hut Leaks Credit Card Info On 60,000 Customers

Comments Filter:
  • Cash (Score:1, Insightful)

    by Anonymous Coward

    And folks, that's why cash is best.

    Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.

    Credit is just an evil. There's very little good about it - for consumers.

    Now, business credit is called "leverage" and that's a whole different issue.

    But for Joe Public, credit cards should just be outlawed. Just destroy them and their business. If it weren't for them, much of our economic dysfunction wouldn't exist. It just distorts everything....

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Cash doesn't come with zero liability like credit cards often do. If one's card is stolen or number compromised, they're just mailed a new card. Easy, no hassles. Sure, one occasionally hears horror stories, but that's why one should be somewhat selective with the credit card issuers they choose to do business with.

      As for accumulating debt, one can just pay the bill in full every month like many do. In which case, no debt to worry about. So one gets all the benefits of zero liability, plus rewards, extended

      • Don't change anything, just keep doing the same thing over and over again forever and cross your fingers that nothing bad happens to YOU! CONVENIENCE is more important than keeping your accounts and identity secure!

        You're ridiculous and you don't even understand WHY you're ridiculous. Electronic payment systems are clearly and objectively INSECURE and UNRELIABLE now, there are security breaches practically EVERY GODDAMNED DAY, and you're recommending just ignoring that? Utter stupidity. GO BACK TO USING CASH until they get on the ball and fix the security problems!

    • I have a better solution. All transactions should be based on a challenge/response using encryption. No single transaction should expose the actual account number. The data that is sent in response should only work for a single transaction. Note that some credit card issuers use this technology already but it requires an application running on your computer or phone.
      • That is a sensible idea, but there is a big problem: Those with the power to fix the system have no incentive to do so. The cost of fraud is pushed onto the merchants. The hassle of dealing with identity theft is dumped on the consumer. Mastercard and Visa have a vested interest in the current system, since any attempt at reform would quickly expose them as parasites that can be easily bypassed. The banks also have a vested interest in keeping the current system since a new system would likely be a "ch

      • always pay cash when buying from fast food. they are not...into technology. they are into feeding you. a mortage, car payment or a utility bill is different. none of those come to your front door for payment.
    • by Jeremi ( 14640 )

      And folks, that's why cash is best.

      Cash has its own problems, as anyone who has been pickpocketed (or wound up holding a worthless counterfeit bill) will tell you.

      Credit cards are nothing but evil. Although, if you want to travel, you can't live without them.

      They aren't entirely evil, since as you admit they can be really useful.

      The problem with credit cards is they are insecure; in particular they are vulnerable to replay attacks.

      Upgrade them to a proper cryptographic protocol and they can be just as secure as any other type of electronic payment system (e.g. Apple Pay or Android Pay), with no need to trust Pizza the Hut or anyone els

  • I'm pretty sure the information that can be gleaned from a Pizza Hut customer is not exactly going to make a cyber criminal rich.
  • 60k? (Score:2, Informative)

    by Anonymous Coward

    That number is very low for a nationwide chain. Thats the customers in like one town.

    As always, shrug and watch your statements. Your CC info is out there somewhere.

    • by pnutjam ( 523990 )
      I didn't read the article, but I'm a bit heartened that at least this seems to indicate they aren't storing CC numbers forever, like so many companies.
    • Funny, I read that and thought, "Pizza Hut still has 60,000 customers?" I don't even know where the nearest Pizza Hut is.
  • by Alain Williams ( 2972 ) <> on Sunday October 15, 2017 @04:48PM (#55373887) Homepage

    on some machine that it capable of being cracked ? Once they have sought payment from the credit card company - why do they keep the CVV number ? If, for some reason, they really need to (eg: easy next order), then keep all that sensitive information on some machine with a very narrow API (eg: charge customer 1234 $20 - tell me if this is approved). Many problem could be, at least partly, mitigated if they did not store everything in one big damn SQL database!

    • They have to keep all that info until closing.

      Transactions are approved at time of sale, but processing is the last thing they do before shutting down the registers.

      That's why it affected only one day of customers. Because that DB only has info during business hours and is purged as transactions are completed.

    • It's illegal to store credit card numbers without the card holder's authorization.

      That said, if you check the little box which says "remember my credit card info for future purchases," you've authorized them to store it. You've traded away security for a little convenience.
      • Re: (Score:1, Interesting)

        by gnasher719 ( 869701 )
        It's double illegal to store the CVV number.

        When a site says "remember my credit card info for future purchases", they are still not allowed to store your credit card number. They are allowed to convert the credit card number into a token that allows transfer of money from your bank account to Pizza Hut's bank account, and to use that token when you order again. That kind of token is useless to any hacker except to create a bit of mischief, because it can only used to send money to Pizza Hut, and not to
        • by Anonymous Coward

          It’s not illegal at all. The PCI council is not affiliated with any government and does not make laws.

          It’s double stupid, sure, but not illegal.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          Lets clarify, as someone else tried for you. It is not illegal, or double illegal.

          Legally you can store CC numbers on fliers you put on everyone's door for advertisement. PCI is a set of rules that show you follow industry standard for protecting CC numbers (it isn't actually protecting them, its following a set of rules that may or may not protect them) IF you follow PCI rules and there are fraudulent transactions, you are not responsible. IF you do NOT follow PCI rules and there are fraudulent transac

        • by AmiMoJo ( 196126 )

          They probably aren't permanently storing it, the hackers likely got in to the web back end that hands the CVV and other card details to their payment processor. Normally the CVV would be stored in memory for the duration of the transaction only.

    • Because everyone on the receiving end of your money doesn't give a rats ass about YOU being secure so long as they get your money. So far as they're concerned all these security breaches are YOUR problem and they can't be bothered. GO BACK TO USING CASH. Then it won't be a problem anymore.
  • by raymorris ( 2726007 ) on Sunday October 15, 2017 @04:51PM (#55373899) Journal

    According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture. They did get hacked, AND they are doing some things right.

    It looks like they had some monitoring in place that caught it - good.
    They are getting assistance from security professionals - good.
    Those professionals don't work for the same internal IT department that had a deficiency in the first place - good.

    The fact that they got hacked means there were several things wrong. They should have had multiple layers of security. Yet they are also doing some things right.

    • According to the article, it affected fewer than 1% of customers that weekend, the intrusion was stopped within 28 hours, and they've called in outside experts to take an objective look at it and help them improve their security posture.

      I think we've seen enough stories of this kind to know that businesses lie about the extent of the loss of control of relevant systems and by default we should not believe them their first report. We've even seen these kinds of stories repeated on /. recently:

    • The response is good, but the funny thing is that I have long refused to let them store my CC number because the password policy they have is insane. I can't remember what it is right now, but I think they wouldn't let you use most symbols or spaces and had a really short maximum length.

      I figured that anyone who would force their customers to use laughably weak passwords had poor internal security. I'm glad to see their response is better than I would've expected, but the fact that they got cracked does n

      • by theCoder ( 23772 )

        Huh, they must have changed over time. About a decade ago, I ordered a pizza for carry out from their website and I had to create an account and I remember the password requirements were quite stringent. I don't remember the details, but it did impress on me that the requirements were much more than what was required to protect what amounted to my zip code. Maybe they got pushback from customers on how hard it was to come up with a password. Though having a short maximum length and not allowing symbols

  • In fact, treat them the same way SMERSH kept trying to treat James Bond. Death To Spies!
  • The future is everyone giving up and buying cyber-loss insurance. My house doesn't have to be a fortress with me guarding it 24/7 to get homeowner's insurance. The same level of practicality and get-on-with-your-life thinking needs to come to all of this cyber-security business.

  • Your personal and financial information has already been stolen, whether the company holding your data has admitted it or not (or more to the point, regardless of whether they even *know it* or not). And if it hasn't yet, it will be. Count on it.

    Your information is not stored safely, period. Just accept it, move on and conduct yourself accordingly. It's a fact of life these days.

  • ... the first question this post raised was, "Pizza Hut has customers?"

  • From Wikipedia []:

    "As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.[6] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment

  • Having your personal info stolen or others finding out that you ate at Pizza Hut. They both seem pretty terrible.
  • About 4 months ago I stopped using plastic for everything and started using cash as much as possible because of constant security breaches like this one. I'm recommending in the strongest words possible that everyone do the same, unless you really want to continually expose yourself to the threat of having your bank accounts drained and/or credit cards maxed out and/or identity stolen. The more you use plastic the more exposed you are and there's no getting around that anymore, and the situation is not goin

"Everyone's head is a cheap movie show." -- Jeff G. Bone