Fast food retail chain Pizza Hut Australia has suffered a data breach exposing sensitive customer information.
Pizza Hut Australian operation’s Chief Executive Phil Reed said the company became aware of the incident in early September and launched an investigation. The probe determined there was unauthorized third-party access to personal information stored on the compromised system.
With approximately 260 outlets, Pizza Hut Australia is owned by California’s Flynn Restaurant Group, which acquired it from Allegro Funds, which in turn bought it from Yum! Brands.
Pizza Hut Australia confirms data breach
Pizza Hut Australia confirmed that the data breach leaked personal and transactional information provided by its customers.
“We have confirmed that the data impacted relates to customer record details and online order transactions held on our Pizza Hut Australia customer database,” said Pizza Hut Australia.
The company immediately secured the system and launched an investigation with external cybersecurity experts.
“We secured our systems, engaged forensic and cybersecurity specialists and initiated an ongoing investigation to help us understand what occurred, and identify the data that was impacted,” Reed said.
The restaurant chain also notified the Office of the Australian Information Commissioner and alerted impacted Pizza Hut Australia customers.
Although Pizza Hut Australia sent data breach notifications to 193,000 customers, it anticipates that “only a small portion” had their personal information compromised. Subsequently, most customers received a general data breach alert, while those seriously affected received additional information.
Pizza Hut Australia anticipates that the data breach exposed customer name, delivery address, email address and phone numbers, masked credit card numbers, and encrypted account passwords for online accounts.
Additionally, the food retail chain disclosed that the data breach did not affect its daily operations and the stolen data had not been misused. However, the Flynn Restaurant Group subsidiary advised customers to remain vigilant for phishing attacks and online scams.
The company withheld information about the attack vector, the threat actor’s identity, the exposed data’s timespan, or whether any ransom demands were made.
In September 2023, a threat actor said they breached Pizza Hut Australia’s unsecured Amazon Web Services (AWS) endpoint and stole 1 million records. While the stolen data matches that from the recent leak, it remains unclear if the two incidents were related.
Paul Bischoff, a privacy advocate with Comparitech, warned that, although the leaked information was encrypted, Pizza Hut Australia’s customers were not out of the woods yet.
“Although the stolen passwords and credit card info was encrypted, Pizza Hut customers should still take precautions,” said Bischoff. “Change your password, and if you use the same password on any other accounts, change those too.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, applauded Pizza Hut Australia for swiftly responding, demonstrating its commitment to resolving the data breach. However, he warned that threat actors could misuse the leaked information for targeted attacks.
“Such information can be leveraged by malicious actors for targeted attacks, such as phishing or identity theft,” noted Malik.
Another fast food cyber attack
Threat actors are increasingly targeting food retailers, interested in the vast personal and financial information they collect from their customers.
In January 2023, Yum! Brands subsidiaries KFC, Taco Bell, and Pizza Hut suffered ransomware attacks, shutting down 300 outlets in the United Kingdom.
On March 2, 2022, Chick-fil-A disclosed that hackers executed automated account takeover attacks between December 18, 2022, and February 12, 2023, using credentials from a third-party source and compromised over 70,000 accounts.
In 2019, Pizza Hut UK warned customers that attackers had compromised accounts for the “Hut Rewards” scheme users. Two years prior, threat actors stole credit card information for Pizza Hut customers who ordered between the morning of October 1, 2017, and midday on October 2, 2017. In 2016, KFC advised Colonel’s Club members to update passwords after threat actors compromised their accounts.