Hell Pizza customer database hacked

A New Zealand pizza chain with shops in Brisbane was hacked to expose details of its customers around the world.

Australian IT security news site Risky.biz found that the database at Hell Pizza was cracked in the middle of last year to reveal passwords, emails, home addresses and phone numbers of about 230,000 customers.

Hell Pizza has nine shops in Brisbane and others in Britain. At the time of writing, the Australian website was offline.

It sent an email to those possibly affected requesting that they change their password, with director Stu McMullin claiming that ithe company had been "approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation".

The email read: “The samples that we received included details of four customers ... including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website.

“Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website).

“We apologise for the incident and any inconvenience that this may have caused.”

Director Warren Powell said it was a massive concern for the company, who had still failed to locate the source of the breach but suspected a former ‘rogue employee' might be to blame.

He told the NZ Herald: “We are honestly taking this very seriously. The last thing we have wanted to do is inconvenience our customers. We take customers' personal details bloody seriously and we spend a lot of money on security. We have been working 24/7 on this for some time and have not found a breach.”

Stephen Howes, CEO of GrIDsure, said: "The potential security breach of Hell Pizza yet again exposes the inherent frailty of passwords as a method of authentication and illustrates the risk of using the same password for numerous websites and online banking. However, users really aren't to blame because recommended ‘strong passwords' are just not very easy to remember, especially when you are advised to use a different password for every web-site you visit. This is clearly highlighted by the ‘forgot my password' feature present on the password login screen.

“Passwords can be compromised through various forms of attack, including shoulder-surfing, key-logging and screen-scraping. In order to genuinely improve security, organisations need to abandon login systems based on fixed passwords and PINs and replace this flawed method of authentication with a one-time passcode method. By making this change, organisations will reduce cases of data loss and identity theft while also saving money and improving customer satisfaction to boot.”

Graham Cluley, senior technology consultant at Sophos, said: “You should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if the bad guys scoop up your password in one place they can try it in many other places. If it gets hacked (like in the Hell Pizza example) then cybercriminals could use it to access your other online accounts - webmail, PayPal, Amazon and so on.”

See original article on scmagazineus.com