Share this article on:
Old-school fast-food chain Pizza Hut has sent emails to its customers warning that some customer data may have been compromised in a recent data breach.
The emails, dated 20 September and shared with Cyber Security Connect by a Pizza Hut customer, mention a “cyber security incident” that Pizza Hut first became aware of in “early September”.
The apparent breach includes customer details and order information.
“At this stage of our investigation, we have confirmed that the data impacted relates to customer record details and online order transactions held on our Pizza Hut Australia customer database,” the email read.
The compromised information includes names, delivery addresses and instructions, email, contact numbers, and “unusable masked credit card data and secure one-way encrypted password (for customers with online accounts)”. However, Pizza Hut pointed out that it currently believes it is only a small subset of customers that have been affected.
“From our investigation and the steps taken in response to the incident, we believe there is only a small proportion of customers on our database whose personal information has been impacted,” Pizza Hut said.
“We have notified these customers as well as the Office of the Australian Information Commissioner (OAIC) of the incident.”
The specific email sent to the customer who shared the email address goes even further.
“Based on our investigation and the steps we have taken to remediate the incident, you are not one of the small number of customers whose personal information has been impacted,” it said. (emphasis as seen in email)
However, a scan of various threat feeds, including Falcon Feeds, has not shed any light on threat actors either sharing or threatening to share the data.
That said, DataBreaches.net reported on an apparent Pizza Hut hack on 3 September, which matches the time frame of the recent email.
According to DataBreaches, a known threat actor called ShinyHunters – which takes its name from a Pokemon game – was behind the breach, admitting to the site that they accessed Pizza Hut’s data in July or August via Amazon Web Services.
“They claim to have exfiltrated more than 30 million records with customers’ orders as well as information on more than 1 million customers,” DataBreaches said.
“Shiny states that they were never detected during the attack.”
ShinyHunters even shared proof of its hack, with one file including the details of 200,000 customer orders and a second file with 100,000 customer data sets, including longitude and encrypted credit card data.
“Spot-checking customer names, DataBreaches was able to verify that there were people with the customers’ names in the right geographic area for the data samples,” DataBreaches said.
At the time, ShinyHunters was apparently asking for US$300,000 by way of ransom.
There is one final twist in the tale, though. ShinyHunters used to operate the RaidForums website, which was seized and shut down by the FBI and other international law enforcement agencies in 2022. The same group appears to have then established BreachedForums, which was then breached itself in 2023. An account that goes by the name ShinyHunters is currently an admin on BreachedForums – though there appears to be no Pizza Hut data on the site.
It’s impossible to work out just how much data has been exposed at this stage, as it appears the threat actor in question may have more on their mind than the malicious use of any exfiltrated data.
Cyber Security Connect has reached out to Pizza Hut for further comment and will continue to monitor the situation.