Cyber Incident Victim: California Pizza Kitchen
Date:
Sep 2021
Location:
United States of America
Summary
A cybersecurity incident at California Pizza Kitchen compromised sensitive personal information of over 100,000 current and former employees, primarily exposing Social Security numbers alongside employee names. The breach occurred following unauthorized system access by cybercriminals, with the organization detecting anomalous activity and promptly securing its environment. While the company initiated a review of security protocols and implemented additional safeguards, notification to state authorities was delayed by approximately two months—a lapse not attributed to law enforcement involvement. The affected individuals, vastly outnumbering the chain's current workforce, included residents across multiple states.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
California Pizza Kitchen (CPK) detected a disruption to its systems on September 15, 2021, prompting immediate action to secure its computing environment. The U.S. restaurant chain, operating over 250 locations across 32 states, initiated an investigation that confirmed by October 4, 2021, that unauthorized actors had infiltrated its network. Cybercriminals accessed specific files containing sensitive employee information, including full names and Social Security numbers (SSNs). While CPK did not publicly disclose the exact number of affected individuals, a subsequent filing with the Maine attorney general’s office revealed the breach impacted 103,767 current and former employees. This figure included eight residents of Maine. Historical employment data indicated CPK had approximately 14,000 active staff members in 2017, suggesting the majority of compromised records belonged to former personnel. The company characterized information security as a top priority and emphasized existing protective measures but did not specify the duration of unauthorized access or the exact entry vectors exploited by attackers.
CPK undertook multiple response actions following the breach discovery, including reinforcing system security, reviewing existing policies, and implementing additional safeguards to prevent future incidents. The organization issued data breach notifications to affected parties but faced scrutiny for a two-month delay in reporting the intrusion to state authorities. Public records showed CPK submitted its breach disclosure to Maine regulators in mid-November 2021, nearly eight weeks after initial detection. The company explicitly stated this notification timeline was not influenced by law enforcement requests. Exposed SSNs create significant risks for identity theft and financial fraud against impacted individuals, though no evidence suggested misuse of data at the time of reporting. CPK did not disclose whether customer information was compromised or whether ransomware or extortion tactics were involved in the attack. The breach highlighted operational challenges in securing legacy employee data while underscoring potential vulnerabilities in corporate network defenses.