Emails sent out by the restaurant chain to affected individuals describe the incident as a “temporary security intrusion” on PizzaHut.com.
According to the company, the hackers only had access to the site between the morning of October 1, 2017 through midday on October 2, 2017 for a total of roughly 28 hours. Customers who used the Pizza Hut website or mobile app to place an order during this period could be affected.
Pizza Hut said the breach was quickly detected and addressed, and it estimates that less than one percent of website visits during that week were impacted. McClatchy learned that roughly 60,000 people across the United States are affected by the incident.
The restaurant chain said its external cybersecurity consultants determined that the attackers may have obtained information such as name, billing ZIP code, delivery address, email address, and payment card data, including card number, expiration date and CVV.
Affected customers are being offered free credit protection services for one year. However, several people reported on social media that their payment cards have already been used for fraudulent transactions, possibly as a result of this breach.
While it’s not uncommon for companies to inform customers of a breach only after completing at least an initial assessment, some of the individuals who reported seeing unauthorized charges on their cards are displeased with the fact that it took Pizza Hut two weeks to send out the notifications.
This was not the first time hackers targeted Pizza Hut. Back in 2012, a group defaced the company’s Australia website and claimed to have obtained roughly 240,000 Australian payment cards.