Any way you slice it, it's not great news for Pizza Hut customers who learned on Saturday their personal data was stolen during an Oct. 1-2 breach of the Italian food chain's website.
According to the Lexington Herald-Leader and additional outlets, the subsidiary of Louisville, Ky.-based Yum! Brands Pizza Hut sent an email letter to affected customers on Oct. 14, notifying them that an "unauthorized third-party intrusion" resulted in the theft of their names, billing zip codes, delivery addresses, email addresses, and payment card account numbers, expiration dates and CVV numbers.
"The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected," states the letter, which was obtained and published by various outlets. "That said, we regret to say that we believe your information is among that impacted group." The Herald-Leader cited a call center operator who reportedly said that the small percentage of affected customers totals around 60,000.
On the positive side, Pizza Hut spotted the anomalous activity in short order and limited the damage to a 28-hour period. "Compared to many recent breaches, Pizza Hut detected the breach relatively quickly and so limited the number of customer card details stolen," said Javvad Malik, security advocate at cybersecurity company AlienVault. "It goes to illustrate the importance and value of having good threat detection and response controls in place so as to limit exposure."
On the other hand, the chain has also drawn criticism for taking approximately two weeks to actually disclose the incident. Even if investigators were using this period to gather more information about the incident, customers could have been further victimized during this time.
“While Pizza Hut is suggesting this breach wasn't particularly serious in terms of the volume of customers affected, there are certainly some best practices that were not implemented around this breach," said Marco Cova, senior security researcher at cybersecurity company Lastline. "Waiting two weeks to inform the users affected means that the individuals were unable to block or change their cards, which in turn meant that the fraudulent data stolen facilitated further cybercrime in the form of credit card fraud, which is always the worry with data breaches."
However, some experts have come to Pizza Hut's defense.
“The Pizza hut card breach poses an interesting question about how quickly a company should come clean with its customers," said Lee Munson, security researcher at security product testing service Comparitech. "While a two-week period between breach and notification may sound like two weeks too many to affected customers, it is in fact a very quick response versus industry norms which often see no disclosure made at all."
Ilia Kolochenko, CEO of web security company High-Tech Bridge, agreed that notification was "a bit protracted," but said the delay "can be explained by the difficulty in properly identifying all of the victims affected. Therefore, I think we should abstain from blaming Pizza Hut before all the details of the incident have become known."
“Pizza Hut U.S. experienced a brief third-party security intrusion on our website and mobile app that compromised the information of a limited number of customers," reads an official statement from the company. "Pizza Hut quickly detected the intrusion and immediately took steps to halt it and remediate the security issue..."
"We take the information security of our customers very seriously and invest in resources to protect the customer information in our care. We value the trust our customers place in us, regret that this happened, and apologize for any inconvenience this may have caused," the statement continues.