back to article Customers cheesed off after card details nicked in Pizza Hut data breach

Miscreants have made off with payment card details of "a small number of clients" following a data breach at Pizza Hut. In an email to affected customers seen by Bleeping Computer, the fast-food chain wrote: "Pizza Hut has recently identified a temporary security intrusion that occurred on our website. "We have learned that …

  1. Anonymous Coward
    Anonymous Coward

    PCI ????

    Surely, if PH were following PCI guidelines (the ones that no one likes paying experts for) then they would have been OK in the event of a breach ?

    Let me guess ... they *weren't* following guidelines ???

    Unlike the useless ICO, the card payment industry has teeth, and should use them. £100 per card details should do it.

    1. wolfetone Silver badge

      Re: PCI ????

      Well, to be honest, any old jackass can tick a few boxes for that PCI-DSS check that you have to do yearly. The odds that the guys who didn't design or work on the system never saw the PCI-DSS certification and didn't do the check, so the jackass who got the bit of paper who's never seen the system goes "Ah yeah we've done all of this. Tick tick tick".

      I've known it done in a previous employment until I put my foot down and took command of the PCI-DSS disclosure. We had broken it before then, but once I knew what was involved in it the system I looked after was compliant.

  2. kain preacher

    Breaking news visa master card pulls Pizza hut account till the prove the web site is secure

    Oh wait I was dreaming. Nothing will happen.

    1. Mike Shepherd

      Not until the credit card companies are made jointly liable.

      1. John Brown (no body) Silver badge

        "Not until the credit card companies are made jointly liable."

        Isn't it the card company who makes good the fraudulent transactions?

        (I can dream, can't i?)

  3. JimmyPage Silver badge
    Stop

    Be more secure using BitCoin

    just saying ...

    1. Pascal Monett Silver badge
      Thumb Down

      Yeah, because BitCoin is so widely used by brick-and-mortar shop websites already.

      1. lglethal Silver badge
        Facepalm

        and Bitcoin exchanges never get hacked or have their Operators run away with the goods, do they? *cough*Mt Gox*cough*

      2. kain preacher

        Ahem Dish TV takes bit coins.

        1. Pascal Monett Silver badge

          Congratulations ! You have found one !

          Come back when you have another thousand and we'll start talking about this little-known other thing called PayPal . . .

  4. Richard Tobin

    Where?

    What country is this in?

    Other reports present it as if it were a US website problem.

    1. Scroticus Canis
      Facepalm

      Re: Where? - From the article - "the breach has only affected customers in the US"

      Oh-oh!

      1. Doctor Syntax Silver badge

        Re: Where? - From the article - "the breach has only affected customers in the US"

        But let's follow up that apparently irrelevant discussion about GDPR. If the US Supreme Court were to allow the extraterritoriality that the DoJ is claiming then why shouldn't Europe do the same?

        If a US company that also trades in Europe has a data breach in the US why shouldn't we, once GDPR becomes operative, require them to report it to the relevant European authorities as well and impose GDPR-scale fines for failing to do this and any other GDPR offences that they may commit? It's the only way to make the Privacy Figleaf and similar claptrap mean anything real.

  5. Harry Stottle

    Surely they don't store payment card details. So wtf?

    Someone help me understand...

    I presume they don't store payment card details. (if that assumption is wrong, then all bets are off and I withdraw my question)

    So, assuming they don't, yes they need to process the data, but presumably that's done in a couple of secure sessions (one with the customer, one with the Card Issuer) but once they've received a payment authorisation, they have no further legit use for the data. So how has an attacker breached their defences? Are the secure communication protocols broken? or what...

    1. alain williams Silver badge

      Re: Surely they don't store payment card details. So wtf?

      I presume they don't store payment card details.

      See their T&Cs section 3.2: "We will not charge your credit or debit card until we despatch your order." which means that they do keep your card details ... I would not be surprised if, once they have them, they keep them for a lot longer.

      1. Harry Stottle

        Re: Surely they don't store payment card details. So wtf?

        ah, that's interesting.

        Is it not possible (I naively assumed this was routine) to have a "provisional" authorisation code which would deal with that situation? (Ideally confirmed by a "signature" from the customer, but let's not run before we can walk...)

    2. John Brown (no body) Silver badge

      Re: Surely they don't store payment card details. So wtf?

      "Are the secure communication protocols broken?"

      From the article, the breach only affects people using the site and placing an order during a certain 28 hour period. That implies some sort of MitM attack or similar catching the live data, not a breach/copying of a database.

  6. chivo243 Silver badge
    Trollface

    That's no Pizza Hut pizza

    Looks way to nice and edible...

    Further to the point, never pay for food with a credit card!

    And we'll grab the popcorn waiting for the real number of affected customers to be revealed.

  7. Tom 7

    Giving your card details to Pizzahut

    in exchange for a 30p open sandwich at the prices they charge and then you complain about a data breach?

  8. Hans 1

    Under the current law there is no obligation to notify, she said.

    Dear madam, our crooked politicians might not have brought appropriate laws into effect, yet, however, the internet is there among other things to name and shame ... and this time, we shame not only Pizza Hut, but also your silly outfit.

    As of today, I solely proclaim that Kemp Little are a bunch of retards, not to be trusted in any way. I accuse them of being accomplishes to data thieves and frauds.

    As of today, I solely proclaim that Pizza Hut are a bunch of retards, not to be trusted in any way. I accuse them of being accomplishes to data thieves and frauds.

    If you are aware of fraudulent behavior, you must inform the authorities without delay, in every country on this planet. How these companies get away with it I do not know. How security advisers (ROFL) get away with it I understand even less ...

    1. Hans 1
      Happy

      Actually, I have a simple proposal for a bill:

      Any party that leaks cc information is liable for any use of the cc card as of the date of the breach, unless they can prove the 3rdparty did not have the cc information at the time of use.

      If your company is STUPID ENOUGH to store cc data and anybody accesses it, OR anybody manages to intercept said data, any purchases made with said cc information after the time it was retrieved is YOUR COMPANY'S problem ... then, and only then will companies take security seriously, that will also mean the end of MS' empire.... which can only be a good thing ;-)

      Let's keep things simple!

  9. Raffbone

    Do we know how much dough they'll be fined in the US?

    That pun is going to take some Topping...

    /getsCoat

    1. TitterYeNot
      Coat

      Re: Do we know how much dough they'll be fined in the US?

      No Topping required, it's cheesy enough as it is...

      1. Anonymous Coward
        Anonymous Coward

        Re: Do we know how much dough they'll be fined in the US?

        I reckon they'll get fined a decent slice.

  10. fobobob

    retailers: Why can't we just pass the entire mess onto the payment processors so we can carry on about our lives?

    payment processors: Why can't we just pass the entire mess onto the consumer so we can carry on about our lives?

    consumers: Why can't we just ... well, shit.

    We all know who is going to wind up taking the shaft in the (rear) end.

  11. Anonymous Coward
    Anonymous Coward

    'Pizza Hut takes the information security of our customers very seriously'

    Time that disingenuous PR statements like that bring automatic castration!

    1. jimdandy
      Windows

      Re: 'Pizza Hut takes the information security of our customers very seriously'

      Do you really think that would affect PR people in any way?

      Just pay cash - or buy decent pizza elsewhere.

  12. mediabeing

    AVOID PIZZA HUT in the USA!! They've gone insane with the salt content of their pizzas!

    There are several articles about it online from various sources. I kid not.

    I had such a Pizza Hut product recently and it was god awful.

  13. Anonymous Coward
    Anonymous Coward

    slickmetal

    I'm sick of these data breaches. Reporters need to start shaming the people responsible by publishing names(top to bottom) of people involved that caused the issue. If the press starts doing this the tech people are going to be shamed into doing the right thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like