back to article To members of Pizza Hut's loyalty scheme: You really knead to stop reusing your passwords

Pizza Hut has warned members of its loyalty scheme "Hut Rewards" not to re-use passwords after hackers managed to access some customer accounts. The fast-food chain, which also suffered a breach stateside in 2017, believes that miscreants got hold of details from elsewhere and then used them to access Pizza Hut systems. The …

  1. Anonymous Coward
    Anonymous Coward

    Yes, but...

    The message says to change your password, but I spent a good 20 minutes on the site last night trying to work out how and where, and was unable to do so...

    1. Korev Silver badge
      Joke

      Re: Yes, but...

      Hard Cheese old chap

    2. Martin-R

      Re: Yes, but...

      Glad it wasn't just me that could find the change password option! I finally worked out that you could log out, then at the login screen use 'forgot password' to reset it.

      However I already *do* use unique passwords for each site so I'm not entirely buying their third party websites argument...

      1. MonkeyBob
        Black Helicopters

        Re: Yes, but...

        I couldn't even remember my password and had to reset it so not one I had used elsewhere, I tried all those. And not possible this was cred stuffing as I have a unique email for their site, advantages of having a domain.

        Also my 1 pizza slice I didn't know I had is still there, for what it's worth.

      2. Robert Carnegie Silver badge

        Re: Yes, but...

        If you did not get hacked, it is because you did not set your password to "password". The people who did - or who used "142857pizzahut" alongside "142857amazon" and "142857classadrugs" - are the victims. Your totally cryptic password is probably safe, but, change it anyway to a good one, a different one. Then spend a year failing to remember it...

        However, the apparent failure to hack all of the customer accounts and the corporate network could be a ruse, where actually that has happened, but to conceal it, they are only abusing the accounts with less safe passwords, just now.

    3. 's water music
      Trollface

      Re: Yes, but...

      The message says to change your password, but I spent a good 20 minutes on the site last night trying to work out how and where, and was unable to do so...

      Duh, change your password on all the other sites where you reused it. The loss of loyalty points redeemable for Pizza Hut pizza's could be seen as its own reward

  2. Cynical Pie

    Breach Notification

    Breach notification isn't mandatory under GDPR despite what some seem to believe. Its dependent on the nature of the breach, the information concerned and the risk of prejudice to the individual the data relates to.

    Based on the information here I doubt its a mandatory report but Pizza Hut might report anyway, particularly if there is more to the story than has been disclosed

    1. big_D Silver badge

      Re: Breach Notification

      The accounts have been compromised, I'm assuming that the account holder's information, like name are held under the account, so PII would have been leaked. So, yes, it would fall under GDPR.

      On the other hand, this wasn't a system breach, it looks like it was user stupidity that let the hacker in, so there would be a mitigating circumstance for PH to avoid a fine.

      Third party gaining access to PII = an incident

      Reporting an incident != receiving a fine.

      1. Anonymous Coward
        Anonymous Coward

        Re: Breach Notification

        "The accounts have been compromised, I'm assuming that the account holder's information, like name are held under the account, so PII would have been leaked. So, yes, it would fall under GDPR."

        The point was, you only need to inform the data *subject* of the breach under certain circumstances, i.e. "[the] data breach is likely to result in a high risk to the rights and freedoms"

        https://gdpr-info.eu/art-34-gdpr/

      2. Anonymous Coward
        Anonymous Coward

        Re: Breach Notification

        From the ICO's website:

        "A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

        If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO."

        Note the bit at the end about "You do not need to report every breach to the ICO".

        1. Security Scientist

          Re: Breach Notification

          You are right, you do not need to report every data breach. It depends on the size and impact of the data breach.

          But the definition of the "data breach" is still vague, and the industry has not one valid definition. A data breach can be anything from one record to many. So, that is why you do not need to report every data breach.

          I wrote a little article on the topic: https://www.securityscientist.net/what-is-a-data-breach-an-investigation-into-data-breach-definitions/

          Interesting to see how the GDPR definition compares to the others from the cybersecurity industry

      3. ArrZarr Silver badge

        Re: Breach Notification

        The accounts have been compromised by, if Pizza Hut is to be believed, putting the correct username and password in for a user.

        In this case, is Pizza Hut even at fault given that their security worked as any reasonable person would expect it to.

    2. macjules

      Re: Breach Notification

      “any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein.”

      While it is correct that you do not need to report every single data breach to the ICO, you must report any GDPR breach involving personal data, under Article 33. In this case another party was able to access private user data (their "rewards") and thus clearly constitutes a GDPR breach.

      1. Anonymous Coward
        Anonymous Coward

        Re: Breach Notification

        No you do not have to "... report any GDPR breach involving personal data, under Article 33". The very article you quote explicitly states that's not the case:

        "... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

  3. big_D Silver badge
    Coat

    A hacker...

    with no taste

    1. chivo243 Silver badge
      Pint

      Re: A hacker...

      with no taste, after having a pizza hut pizza, even a curry would have no taste after that ;-}

      1. GnuTzu
        Pint

        Re: A hacker...

        Once upon a time... O.K., I'm old, but there really was a time when Pizza Hut was actually among the best of the chain pizza joints, while a certain other chain, often equated with craps, was rumored to use fake cheese, which really did have a mouth feel reminiscent of melted plastic. But, that was then, and we're talking about restaurant chains.

        1. Flywheel
          Pint

          Re: A hacker...

          Same here! I remember the transition from pizza made with real ingredients to the frozen pizza bases cooked/baked steamed back to "life" then sprayed with cheese 'n garlic oil to make it taste of something.

          1. big_D Silver badge

            Re: A hacker...

            That is why I like our local pizza parlors, they use fresh dough, knead it out in front of you and put fresh ingredients on the pizza.

            I think I have eaten 1 Pizza Hut pizza in the last 20 years. It is a similar story for BK and McDonalds, I think I haven't eaten a McDonald's in over 10 years and I had a disappointing burger at BK when travelling to Magdeburg a couple of years ago, before that, it was probably 2006.

  4. Anonymous Coward
    Anonymous Coward

    I guess you could say that the hackers...

    ...hit the Hut.

  5. Christoph

    It was obviously that infamous villain Pizza the Hutt

  6. Korev Silver badge
    Coat

    At least one traumatised punter has seen their rewards points spent on free pizza, according to Money Saving Expert.

    At least it was only points and not some dough...

  7. Keith Langmead

    The potential power of free pizza

    Hopefully might cause a few users to change their ways by making them focus on stuff they care about.

    Bad guys could gain access to your email – “Meh, it’s mostly junk anyway”

    Bad guys could access our corporate data – “Yeah, but it’s not my data!”

    Bad guys could claim your free pizza – “What, this is serious! Better change my passwords!”

  8. tiggity Silver badge

    careful wording...

    "We suspect" (credential stuffing attacks)

    Which is far less reassuring than saying our systems are secure and we know 100% that this was a credential stuffing attack.

    1. Robert Carnegie Silver badge

      Re: careful wording...

      I think you don't ever know with more certainty than 99.99 percent.

      I bet a fake pizza deliverer (or a real one) could go round asking customers for their password on the doorstep and would have a better than 0% success rate. Even if it's their Facebook password.

  9. JohnFen

    Today I learned

    Today I learned that there are not only people who are willing to eat Pizza Hut pizza, but who are willing to eat it often enough that a loyalty scheme is appealing to them.

    Wonders never cease!

    1. a_yank_lurker

      Re: Today I learned

      Pizza the Slut sometimes is tolerable because they deliver like their main competitors and are not very expensive. Generally the local shops and small chains have better pizzas and often a much better selection but often cost a little more.

      1. Mandoscottie
        Thumb Up

        Re: Today I learned

        really? ive found the opposite, find the right indian/kebab shop that are decent and their pizzas way better, more toppings and way cheaper up here. Hell they even do curry pizzas up here, sounds awful, it aint.

        Chicken Madras pizza...16" of spicy lovelyness for £12 to your door. £12 wouldnt gett a 10" dominos or hut i dont think, dleivered.

        1. MachDiamond Silver badge

          Re: Today I learned

          " find the right indian/kebab shop that are decent and their pizzas way better"

          I always like dealing with the small shops, not the chains. If they really bollox the order, they will often make it up in spades. I've had that happen and had two larges delivered right away to replace the one that was not right. They bought a lot of loyalty with that fix.

      2. JohnFen

        Re: Today I learned

        "Pizza the Slut"

        Hee! In my neck of the woods, we call it "Greasa Hut".

        1. FozzyBear
          Coffee/keyboard

          Re: Today I learned

          We just call 'em pavement pizzas

      3. rmason

        Re: Today I learned

        Exact opposite in the east midlands.

        Pizza hut and dominos are about double the cost of the average pizza takeaway.

        1. daftdave

          Re: Today I learned

          Both Pizza Hut and Dominos have expensive "standard" menu but also always have "offers" on.

          Buying from the standard menu would be like buying a sofa from DFS when there isn't a sale on.

          BTW this isn't the first time the Hut Rewards thing has a problems - recently some bright spark figured out you could build up points by placing bogus orders and not paying for them. Reminds me of Moonpig's epic security blunder where you just logged in and changed the user id in url...

  10. DMcDonnell

    No Way!

    That can't be a photo of an actual Pizza Hut pizza because Pizza Hut never ever put that much toppings on any of their pizzas.

  11. This post has been deleted by its author

  12. Vikingforties
    Coat

    They're going to get fined so much dough by the ICO.

  13. steven_t
    Coat

    New pizza base, only available via the loyalty scheme

    Credential stuffed crust

  14. Claverhouse Silver badge

    Some people must really really like fast food if they elect to have an 'account' with a supplier of takeaway crap.

    Over there, US Presidents, like Clinton, Obama and Trump are notorious for their love of the greaseful stuff, but I doubt even they would open individual accounts to fuel their lusty appetites --- They have too much good taste.

  15. MachDiamond Silver badge

    The first error

    was signing up for a "rewards" program in the first place. Is a free slice of pizza worth getting endlessly spammed? It's not even very good pizza. Since many of my friends don't see the downside to these rewards schemes, I use their phone numbers and names when I shop at place I know they have a card for. I get the immediate discount and they get the points. It's a win win. I also find rewards cards lying about here and there and pick them up and stick them in my wallet. I get the super-saver price at the shop with complete anonymity (I pay with cash).

    Back in my innocent youth (ahem), I would get rewards cards and I don't think that I ever amassed enough points with any of them to amount to anything. It's laughable when the fast food joint will give me a coupon for 7p of fizzy drink in exchange for my name, email address and filling out a questionnaire about myself. Really? Puleeze.

    1. jtaylor

      Re: The first error

      Most supermarkets require a loyalty membership to get their sale prices. If you don't carry a card, just key in your phone number.

      If I'm memorizing someone else's number, I might as well pick a useful one. I chose the non-emergency number for the city police. Conveniently, this number is already signed up to every loyalty program in town.

      1. JohnFen

        Re: The first error

        "Most supermarkets require a loyalty membership to get their sale prices."

        And their sale prices tend to be about the same as the regular prices at supermarkets that don't have a loyalty program. That's why do the majority of my shopping at those places instead of joining a "track all my purchases" program.

  16. Anonymous Coward
    Anonymous Coward

    Change pasword and...

    Change to a better brand of pizza.

  17. irrelevant

    Perp..

    First thought from media reports is that as the rated points have been redemed, surely they have the address the pizzas were delivered to? Might be a starting point to find the perp.. (although if the local delivery drivers are typical, they sit on the road and expect you to come out to them..)

    I do use pizza Hut occasionally, because they are one of the few places still open at 2-3am.. Plus once you factor in the various offers codes and deals it's not particularly expensive. No sign of my points going missing, but I use a long random and unique password.

    I do

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like