Pizza Hut was hacked, company says

Pizza Hut announced Saturday that a small portion of its users had their personal information compromised.
Pizza Hut announced Saturday that a small portion of its users had their personal information compromised. M.O. Stevens

Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them.

According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed.

The “temporary security intrusion” lasted for about 28 hours, the notice said, and it’s believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information — meaning account number, expiration date and CVV number — were compromised.

“The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected,” read a customer notice sent only to those affected. “That said, we regret to say that we believe your information is among that impacted group.”

A call center operator told McClatchy that about 60,000 people across the U.S. were affected.

The customer notice said Pizza Hut is talking to cybersecurity experts outside of the company to look into the apparent hack and to make sure it doesn’t happen again.

Affected customers are advised to look out for scams asking for personal information because of the hack, as Pizza Hut will not ask you for personal information like your social security number, the company said.

The company is also offering a free credit monitoring service for a year with Kroll Information Assurance, LLC. You have until Jan. 11 to register for the credit monitoring service, the notice said.

Doug Terfehr, Pizza Hut's director of communications, told McClatchy in a statement that Pizza Hut worked as quickly as it could to notify customers.

“We take the privacy and security of our customers very seriously and invest in resources to protect the customer information in our care. We value the trust our customers place in us and while we were able to address this incident quickly, we regret that this happened and apologize for any inconvenience this may have caused,” Terfehr said.

There are multiple reasons why customers aren’t notified of a hack immediately. For example, law enforcement can delay an announcement to prevent other hackers from being notified about a security breach, The Washington Post reported.

It also takes time for companies to determine the exact scope of a hack, what information was stolen in the first place and if the data taken could cause serious damage to customers, according to the Post.

There are different standards in 48 states and U.S. territories for how and when a hack needs to be disclosed. Alabama and South Dakota are the only states that don’t have security breach notification laws, the Post reported.

And of those 48 states, only eight states -- Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont -- set a timeline for when the hacks need to be announced, which range from 30 to 90 days, according to the Post.

In 2012, Pizza Hut Australia had its website hacked, with the personal information of 240,000 customers compromised, according to ZDNet.

It was reported that the credit card information of those users in the 2012 attack were compromised, but Pizza Hut Australia denied those reports, saying it was just emails and other contact information.

Correction: An earlier version of this story refered to the initial customer notice as a press release.