Pizza Hut customers informed of data breach after 12 days

Pizza Hut waited nearly two weeks to inform customers of a data breach that is believed to have affected 60,000 people across the US.

The company circulated an email on 14^th October to customers thought to have been affected.

This said: “Pizza Hut has recently identified a temporary security intrusion that occurred on our website. We have learned that the information of some customers who visited our website or mobile application during an approximately 28-hour period (from the morning of October 1, 2017, through midday on October 2, 2017) and subsequently placed an order may have been compromised.

“Pizza Hut identified the security intrusion quickly and took immediate action to halt it.”

A call centre operator told the McClatchy news site that about 60,000 people were affected. Pizza Hut has not confirmed or denied this.

It is reported that names, billing ZIP codes, delivery addresses, email addresses and payment card information — meaning account number, expiration date and CVV number — were compromised

The notice sent out to affected customers said Pizza Hut estimates “that less than one percent of the visits to our website over the course of the relevant week were affected”.

Those customers have been offered a year’s free security monitoring with Kroll Information Assurance, LLC, but that hasn’t reconciled everyone to the company’s handling of the incident.

One customer tweeted: “Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it.”

The Washington Post reports that there are multiple reasons why customers might not be informed of a hack immediately. Law enforcement might have delayed the announcement, to avoid alerting other hackers, for example, and it takes time for companies to determine the exact scope of a hack, what information was stolen in the first place and if the data taken could cause serious damage to customers, according to the Post.

There are different standards in 48 states and U.S. territories for how and when a hack needs to be disclosed. Alabama and South Dakota are the only states that don’t have security breach notification laws, the Post reported.

And of those 48 states, only eight states — Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont — set a timeline for when the hacks need to be announced, which range from 30 to 90 days, according to the Post.