Blog, Security Alert

Pizza Hut Exposed To Possible Breach Of Customers Data

Pizza Hut Exposed To Possible Breach Of Customers Data

Pizza Hut, the classic fast-food chain, has issued warnings to its customers regarding a potential data breach. Customers received emails notifying them of this incident, which may have compromised certain customer data, including details and order information.

The breach primarily affects customer record details and online order transactions stored in Pizza Hut Australia’s customer database. The compromised information encompasses names, delivery addresses, instructions, email addresses, contact numbers, and partially masked credit card data, along with securely encrypted passwords (for customers with online accounts). Notably, Pizza Hut believes that only a small subset of customers has been impacted by this breach.

In response to the incident, Pizza Hut has taken steps to investigate and mitigate the situation. Affected customers have been informed, and the Office of the Australian Information Commissioner (OAIC) has been notified of the breach.

However, the specific emails sent to individual customers provide further reassurance: “Based on our investigation and the steps we have taken to remediate the incident, you are not one of the small number of customers whose personal information has been impacted.”
Despite this, there has been no evidence from various threat feeds, including Falcon Feeds, indicating any sharing or threats to share the compromised data.

It’s worth noting that reported a possible Pizza Hut hack on September 3rd, aligning with the timing of the recent email notifications. According to DataBreaches, a known threat actor named ShinyHunters admitted to accessing Pizza Hut’s data in July or August through Amazon Web Services. This actor claimed to have obtained over 30 million records, including customer orders and data on more than 1 million customers, while remaining undetected during the attack.

ShinyHunters even provided evidence of the hack, including files containing details of customer orders and customer data sets, some of which included encrypted credit card data. The threat actor was allegedly seeking a $300,000 ransom at that time.

Adding complexity to the situation, ShinyHunters was previously associated with the RaidForums website, which was seized and shut down by the FBI and other law enforcement agencies in 2022. The same group later established BreachedForums, which was subsequently breached in 2023. An account under the name ShinyHunters currently serves as an admin on BreachedForums, although no Pizza Hut data appears to be on the site.

The full extent of the exposed data remains uncertain, as the threat actor’s motives may extend beyond the malicious use of the compromised information.