Cyber Incident Victim: Pizza Hut

Pizza Hut experienced a security breach impacting customers who placed orders through its website or mobile application during a 28-hour period from the morning of October 1, 2017, through midday on October 2, 2017. The company detected the intrusion promptly and took immediate action to contain it, according to an email notification sent to affected customers on October 14, 2017. Pizza Hut characterized the incident as a "temporary security intrusion" that compromised payment card details and other information from a limited subset of users. The organization estimated that less than one percent of website visitors during the relevant week were affected, though it did not disclose the absolute number of compromised accounts. This marked Pizza Hut's second publicly disclosed payment card breach, following a 2012 incident affecting 240,000 customers.

Multiple customers reported unauthorized transactions on their payment cards in the week preceding Pizza Hut's notification. At least five users publicly attributed fraudulent charges to the breach through Twitter complaints, with some stating they had to cancel compromised cards. Customers criticized the delayed disclosure timeline, noting fraudulent activity occurred approximately one week before receiving official notification from Pizza Hut. The company faced public accusations of inadequate security measures and insufficiently prompt breach disclosure based on social media reactions. While Pizza Hut confirmed the breach's occurrence and containment, the total number of affected individuals remained unclear at the time of reporting, with external attempts to obtain additional metrics unsuccessful. The incident demonstrated recurring security challenges for the organization across multiple years.