Cyber Incident Victim: Otto Pizza

The breach at Otto Pizza's Portland locations occurred between May 1 and August 13, 2014, when attackers deployed point-of-sale (PoS) malware on systems at two Oregon restaurants. Federal authorities investigating unrelated matters discovered compromised credit card data and alerted the restaurant, which had not previously detected the intrusion. Approximately 900 customers who used credit or debit cards at the affected Portland locations during the four-month window had their names and card account numbers exposed. Attackers did not access PIN codes, CVV numbers, email addresses, or personal passwords according to forensic analysis. Otto Pizza confirmed the malware only impacted two Portland outlets, with no evidence of compromise at their Maine or Massachusetts locations or in their home delivery systems. Restaurant officials estimated fewer than 3% of total credit card transactions at the two stores were compromised. The malware family used in the attack remained unidentified in public disclosures.

Upon confirmation of the breach, Otto Pizza immediately disabled the compromised PoS terminals and replaced their data storage units to prevent further data exfiltration. The company enhanced system protections by deploying additional firewall security and implementing continuous monitoring software across locations. State regulatory agencies received formal notification as required by law, triggering mandatory customer and employee disclosure procedures. No fraudulent transactions were publicly attributed to the breach at the time of reporting. The incident exclusively affected customers who made in-person payments at the two Portland restaurants during the specified period, with delivery service transactions remaining unaffected. Forensic investigators determined the attackers gained sufficient access to harvest card data directly from PoS systems but found no evidence of network-wide infiltration or secondary malware installations.