back to article Customers cheesed off after card details nicked in Pizza Hut data breach

Miscreants have made off with payment card details of "a small number of clients" following a data breach at Pizza Hut. In an email to affected customers seen by Bleeping Computer, the fast-food chain wrote: "Pizza Hut has recently identified a temporary security intrusion that occurred on our website. "We have learned that …

Anonymous Coward

PCI ????

Surely, if PH were following PCI guidelines (the ones that no one likes paying experts for) then they would have been OK in the event of a breach ?

Let me guess ... they *weren't* following guidelines ???

Unlike the useless ICO, the card payment industry has teeth, and should use them. £100 per card details should do it.

16
0
Silver badge

Re: PCI ????

Well, to be honest, any old jackass can tick a few boxes for that PCI-DSS check that you have to do yearly. The odds that the guys who didn't design or work on the system never saw the PCI-DSS certification and didn't do the check, so the jackass who got the bit of paper who's never seen the system goes "Ah yeah we've done all of this. Tick tick tick".

I've known it done in a previous employment until I put my foot down and took command of the PCI-DSS disclosure. We had broken it before then, but once I knew what was involved in it the system I looked after was compliant.

9
0
Silver badge

Breaking news visa master card pulls Pizza hut account till the prove the web site is secure

Oh wait I was dreaming. Nothing will happen.

14
0

Not until the credit card companies are made jointly liable.

10
1
Silver badge

"Not until the credit card companies are made jointly liable."

Isn't it the card company who makes good the fraudulent transactions?

(I can dream, can't i?)

3
0
Silver badge
Stop

Be more secure using BitCoin

just saying ...

0
8
Silver badge
Thumb Down

Yeah, because BitCoin is so widely used by brick-and-mortar shop websites already.

8
2
Silver badge
Facepalm

and Bitcoin exchanges never get hacked or have their Operators run away with the goods, do they? *cough*Mt Gox*cough*

18
0
Silver badge

Ahem Dish TV takes bit coins.

1
0
Silver badge

Congratulations ! You have found one !

Come back when you have another thousand and we'll start talking about this little-known other thing called PayPal . . .

0
0

Where?

What country is this in?

Other reports present it as if it were a US website problem.

8
0
Silver badge
Facepalm

Re: Where? - From the article - "the breach has only affected customers in the US"

Oh-oh!

4
0
Silver badge

Re: Where? - From the article - "the breach has only affected customers in the US"

But let's follow up that apparently irrelevant discussion about GDPR. If the US Supreme Court were to allow the extraterritoriality that the DoJ is claiming then why shouldn't Europe do the same?

If a US company that also trades in Europe has a data breach in the US why shouldn't we, once GDPR becomes operative, require them to report it to the relevant European authorities as well and impose GDPR-scale fines for failing to do this and any other GDPR offences that they may commit? It's the only way to make the Privacy Figleaf and similar claptrap mean anything real.

6
0

Surely they don't store payment card details. So wtf?

Someone help me understand...

I presume they don't store payment card details. (if that assumption is wrong, then all bets are off and I withdraw my question)

So, assuming they don't, yes they need to process the data, but presumably that's done in a couple of secure sessions (one with the customer, one with the Card Issuer) but once they've received a payment authorisation, they have no further legit use for the data. So how has an attacker breached their defences? Are the secure communication protocols broken? or what...

4
0
Silver badge

Re: Surely they don't store payment card details. So wtf?

I presume they don't store payment card details.

See their T&Cs section 3.2: "We will not charge your credit or debit card until we despatch your order." which means that they do keep your card details ... I would not be surprised if, once they have them, they keep them for a lot longer.

6
0

Re: Surely they don't store payment card details. So wtf?

ah, that's interesting.

Is it not possible (I naively assumed this was routine) to have a "provisional" authorisation code which would deal with that situation? (Ideally confirmed by a "signature" from the customer, but let's not run before we can walk...)

7
0
Silver badge

Re: Surely they don't store payment card details. So wtf?

"Are the secure communication protocols broken?"

From the article, the breach only affects people using the site and placing an order during a certain 28 hour period. That implies some sort of MitM attack or similar catching the live data, not a breach/copying of a database.

2
0
Silver badge
Trollface

That's no Pizza Hut pizza

Looks way to nice and edible...

Further to the point, never pay for food with a credit card!

And we'll grab the popcorn waiting for the real number of affected customers to be revealed.

3
3
Silver badge

Giving your card details to Pizzahut

in exchange for a 30p open sandwich at the prices they charge and then you complain about a data breach?

5
3
Silver badge

Under the current law there is no obligation to notify, she said.

Dear madam, our crooked politicians might not have brought appropriate laws into effect, yet, however, the internet is there among other things to name and shame ... and this time, we shame not only Pizza Hut, but also your silly outfit.

As of today, I solely proclaim that Kemp Little are a bunch of retards, not to be trusted in any way. I accuse them of being accomplishes to data thieves and frauds.

As of today, I solely proclaim that Pizza Hut are a bunch of retards, not to be trusted in any way. I accuse them of being accomplishes to data thieves and frauds.

If you are aware of fraudulent behavior, you must inform the authorities without delay, in every country on this planet. How these companies get away with it I do not know. How security advisers (ROFL) get away with it I understand even less ...

3
1
Silver badge
Happy

Actually, I have a simple proposal for a bill:

Any party that leaks cc information is liable for any use of the cc card as of the date of the breach, unless they can prove the 3rdparty did not have the cc information at the time of use.

If your company is STUPID ENOUGH to store cc data and anybody accesses it, OR anybody manages to intercept said data, any purchases made with said cc information after the time it was retrieved is YOUR COMPANY'S problem ... then, and only then will companies take security seriously, that will also mean the end of MS' empire.... which can only be a good thing ;-)

Let's keep things simple!

1
1

Do we know how much dough they'll be fined in the US?

That pun is going to take some Topping...

/getsCoat

6
0
Coat

Re: Do we know how much dough they'll be fined in the US?

No Topping required, it's cheesy enough as it is...

3
0
Anonymous Coward

Re: Do we know how much dough they'll be fined in the US?

I reckon they'll get fined a decent slice.

1
0
Bronze badge

retailers: Why can't we just pass the entire mess onto the payment processors so we can carry on about our lives?

payment processors: Why can't we just pass the entire mess onto the consumer so we can carry on about our lives?

consumers: Why can't we just ... well, shit.

We all know who is going to wind up taking the shaft in the (rear) end.

6
0
Anonymous Coward

'Pizza Hut takes the information security of our customers very seriously'

Time that disingenuous PR statements like that bring automatic castration!

4
0
Windows

Re: 'Pizza Hut takes the information security of our customers very seriously'

Do you really think that would affect PR people in any way?

Just pay cash - or buy decent pizza elsewhere.

2
0

AVOID PIZZA HUT in the USA!! They've gone insane with the salt content of their pizzas!

There are several articles about it online from various sources. I kid not.

I had such a Pizza Hut product recently and it was god awful.

0
1
Anonymous Coward

slickmetal

I'm sick of these data breaches. Reporters need to start shaming the people responsible by publishing names(top to bottom) of people involved that caused the issue. If the press starts doing this the tech people are going to be shamed into doing the right thing.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018