Brent Hofacker - Fotolia

Pizza Hut data breach shows need for board control

The poor handling of the data breach by fast food chain Pizza Hut shows that company boards need to take control, a London-based law firm advises

Pizza Hut has come under fire for failing to notify affected customers for two weeks after discovering a data breach that exposed credit card details.

Affected customers took to Twitter to complain about the delay in notification, with some reporting fraudulent card transactions that may be linked to the breach.

Compromised data includes customer names, billing postcodes, delivery addresses, email addresses and payment card information – meaning account number, expiration date and security number – according to the Miami Herald.

“Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it. #timely,” tweeted one unhappy customer.

“@pizzahut great security there & thanks for the delay in notifying us after thieves already charged our accts,” tweeted another.

Pizza Hut acts on security breach

Despite the delay in notifying affected customers, the company claims to have spotted the security intrusion quickly and taken immediate action to halt it.

Pizza Hut said in a statement that the breach had affected “some customers” who visited its US website or mobile application during an approximately 28-hour period (from the morning of 1 October 2017 to midday on 2 October 2017), and subsequently placed an order, may have been compromised.

The security intrusion at issue impacted a small percentage of our customers and we estimate that less than 1% of the visits to our website over the course of the relevant week were affected,” the statement said.

The company did not say exactly how many customers were affected, but some reports say around 60,000 people across the US were affected, citing a call centre operator.

Breach notification compulsory under GDPR

The failure to notify customers immediately after the breach was discovered has potential legal implications, according to technology and digital media specialist law firm Kemp Little.

“The ICO [Information Commissioner’s Office] suggests organisations should report personal data breaches that may cause “serious harm” to individuals affected by the breach – it is essential companies act quickly in making this assessment,” said Nicola Fulford, head of data protection and privacy at Kemp Little.

“Where financial data has been compromised, it raises serious concerns of identity theft, likely to cause emotional distress and financial damage to the individual,” she said.

Under the current law, there is no obligation to notify, however when the EU General Data Protection Regulation comes into effect from 25 May 2018, Fulford said it will be mandatory for organisations to notify of data breaches that risk harm to individuals.

“Failure to do so means companies could face significant fines of €10m, or up to 2% of worldwide turnover,” she said, referring to the lower tier of sanctions for less serious failings. The upper tier provides for fines of up to €20m, or 4% of global turnover, whichever is greater.

Prepare response ahead of data breach

According to Fulford, the way companies manage a breach should be a board-level issue. “Careful planning in advance of a data breach is key to limiting further data loss, mitigating the impact for individuals, minimising the associated media attention and maintaining customer trust.

“Ensuring call centre and customer support staff are geared up to respond, with key facts and how customers can protect themselves and their data, goes some way to demonstrating the company has customers’ interests at the heart of the breach,” she said.

Companies that fail to prepare a plan of action in the event of a data breach will find themselves without answers when the news breaks and a flood of questions from concerned customers is received, warned Fulford. “The chances then of a dive in customer confidence is high,” she said.

Read more about GDPR

  • The GDPR is not only relevant to CISOs and DPOs – it has a big impact on businesses.
  • There is no time for businesses to delay in preparing for the GDPR, says UK privacy watchdog.
  • GDPR: One year to compliance and opportunity.
  • Finding customer data is big hurdle to meeting GDPR right to erasure.

Read more on Privacy and data protection

Data Center
Data Management