Pizza Hut Australia has confirmed it has been the subject of a cyber-attack which resulted in the leaking of customers’ names and addresses.
However, a security expert says the incident serves as a lesson. Pizza Hut claims credit card data was not affected, indicating the business kept financial records in a separate database – a practice SMEs need to emulate, AVG security advisor Michael McKinnon says.
“It appears their structure is set up reasonably well,” he told SmartCompany this morning.
“I’d believe them when they say their financial data hasn’t been leaked.”
Pizza Hut was contacted by SmartCompany this morning, but no reply was available before publication.
The hack was first noticed on Whirlpool and Reddit, with the company’s home page having been defaced. By then, a statement from the company had been distributed saying that a layer of its website had been breached.
Information that had been leaked included names, email addresses and contact information.
“We are working with our website providers to conduct a thorough investigation of the matter and have also reported the incident to the Office of the Australian Information Commissioner,” general manager Graeme Houston said in a statement.
He also said the online ordering system hadn’t been compromised, and that credit card information wasn’t affected.
This is an important claim, as some businesses involved in leaks have made the mistake of mixing the two databases. Experts say credit card information should be kept separate at all times.
“The ordering system here looks to be hosted elsewhere,” says McKinnon. “I’d believe the data hasn’t been leaked here. But it certainly doesn’t mean they’re not embarrassed.”
Australian businesses have suffered plenty of leaks over the past couple of years. AAPT, Distribute.IT and Lush are some of the more prominent leaks. Last year was particularly bad, with international computer giants Sony and Nintendo suffering huge, embarrassing data leaks.
McKinnon says the lesson here for small businesses is actually in the recovery process. Businesses need to put time and effort into finding where the leak occurred, rather than just restoring from a back-up.
Even though the disaster has been averted and credit card data protected, there’s still a lot of work to be done in finding where the actual vulnerability happened.
“We see this in SMEs quite a lot. They get hacked and don’t have the resources to find where the leak happened, so they just restore everything from a back-up and keep going.”
“It’s of great concern from a privacy standpoint, that this is yet another example of privacy information being trusted with a third party, and then having that information leak out of no fault of their own.”