Pizza Hut data breach shows need for board control

Pizza Hut acts on security breach

Despite the delay in notifying affected customers, the company claims to have spotted the security intrusion quickly and taken immediate action to halt it.

Pizza Hut said in a statement that the breach had affected “some customers” who visited its US website or mobile application during an approximately 28-hour period (from the morning of 1 October 2017 to midday on 2 October 2017), and subsequently placed an order, may have been compromised.

“The security intrusion at issue impacted a small percentage of our customers and we estimate that less than 1% of the visits to our website over the course of the relevant week were affected,” the statement said.

The company did not say exactly how many customers were affected, but some reports say around 60,000 people across the US were affected, citing a call centre operator.

Breach notification compulsory under GDPR

The failure to notify customers immediately after the breach was discovered has potential legal implications, according to technology and digital media specialist law firm Kemp Little.

“The ICO [Information Commissioner’s Office] suggests organisations should report personal data breaches that may cause “serious harm” to individuals affected by the breach – it is essential companies act quickly in making this assessment,” said Nicola Fulford, head of data protection and privacy at Kemp Little.

“Where financial data has been compromised, it raises serious concerns of identity theft, likely to cause emotional distress and financial damage to the individual,” she said.

Under the current law, there is no obligation to notify, however when the EU General Data Protection Regulation comes into effect from 25 May 2018, Fulford said it will be mandatory for organisations to notify of data breaches that risk harm to individuals.

“Failure to do so means companies could face significant fines of €10m, or up to 2% of worldwide turnover,” she said, referring to the lower tier of sanctions for less serious failings. The upper tier provides for fines of up to €20m, or 4% of global turnover, whichever is greater.

Prepare response ahead of data breach

According to Fulford, the way companies manage a breach should be a board-level issue. “Careful planning in advance of a data breach is key to limiting further data loss, mitigating the impact for individuals, minimising the associated media attention and maintaining customer trust.

“Ensuring call centre and customer support staff are geared up to respond, with key facts and how customers can protect themselves and their data, goes some way to demonstrating the company has customers’ interests at the heart of the breach,” she said.

Companies that fail to prepare a plan of action in the event of a data breach will find themselves without answers when the news breaks and a flood of questions from concerned customers is received, warned Fulford. “The chances then of a dive in customer confidence is high,” she said.