News broke yesterday evening that Pizza Hut customers are reporting fraudulent activity on their cards, after the pizza giant reported a card breach. The company have suggested only a few accounts were breached, but users are suggested they were not informed until two weeks after. IT security experts commented below.
Marco Cova, Senior Security Researcher at Lastline:
“While Pizza Hut are suggesting this breach wasn’t particularly serious in terms of the volume of customers affected, there are certainly some best practices that were not implemented around this breach. Waiting two weeks to inform the users affected means that the individuals were unable to block or change their cards, which in turn meant that the fraudulent data stolen facilitated further cybercrime in the form of credit card fraud, which is always the worry with data breaches. Companies should learn from this mistake, and should endeavour to tell the individuals what’s happening as soon as possible, and invest in the appropriate breach-detection services to stop cybercriminals before they access the data in the first place.”
Christopher Littlejohns, EMEA Manager at Synopsys:
“Although this leakage was constrained to a relatively short period, the value of the credit card information to the criminals is of course very high. Any company that captures and stores such critically sensitive customer information must mitigate the risk of leakage, otherwise they may run foul of mass social media anger. As we have seen, this can be commercially damaging. Legislative bodies worldwide are waking up and tackling this issue, a great example being the forthcoming GDPR regulations which oblige companies to ensure they are applying appropriate diligence at risk of receiving major fines if negligence is proven.”
Lee Munson, Security Researcher at Comparitech.com:
“The Pizza hut card breach poses an interesting question about how quickly a company should come clean with its customers. While a two-week period between breach and notification may sound like two weeks too many to affected customers, it is in fact a very quick response versus industry norms which often see no disclosure made at all.
Now that customers have been informed of when the breach took place, they can be proactive around checking their bank and credit card accounts for suspicious activity. Given the size of Pizza Hut, and its need to maintain its reputation, any victims of payment card fraud should consider contacting the company to see if any assistance is forthcoming, in the form of credit monitoring, or any other help the business may consider offering.”
Andrew Clarke, EMEA Director at One Identity:
“As we move closer to the official commencement date, 25 May 2018, of the General Data Protection Regulation (GDPR), organisations are going to have to up their game to ensure that they are prepared for their responsibilities under the act. The biggest change to the regulatory landscape of data privacy comes from the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the European Union, no matter where the company is located. This would possibly have direct impact on Pizza Hut in this case.
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. It is noted that Pizza Hut allowed two weeks to pass before notification. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows them to provide information in phases. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay. Failing to notify a breach when required to do so can result in a significant fine up to a maximum of 20 million Euros or 4 per cent of global turnover.
Organisations need to ensure that staff understand what constitutes a data breach, and that this is more than a loss of personal data. They also need to ensure that they have an internal breach reporting procedure in place. This will facilitate decision-making about whether they need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.”
Javvad Malik, Security Advocate at AlienVault:
“Compared to many recent breaches pizza hut detected the breach relatively quickly and so limited the number of customer card details stolen. It goes to illustrate the importance and value of having good threat detection and response controls in place so as to limit exposure.”