Cyber Incident Victim: New York Pizza

On or around May 30, 2021, New York Pizza (NYP), a major pizza chain in the Netherlands, experienced a data breach after an unidentified hacker gained unauthorized access to customer information. The hacker initiated contact via email on the night of Sunday, May 30, or early Monday, May 31, explicitly threatening to publish or sell the stolen data unless extortion demands were met. NYP confirmed the breach publicly on May 31, disclosing that approximately 3.9 million customer records—equivalent to 22% of the Dutch population—were compromised. The stolen dataset included highly sensitive personal details: full names, physical delivery addresses, email addresses, telephone numbers, hashed passwords for NYP online accounts, historical order records, and, for some individuals, dates of birth. The company did not specify the exact intrusion method but acknowledged the hacker exploited a vulnerability in its systems to extract this data.

NYP engaged Dutch cybersecurity firm Fox-IT to investigate the breach, remediate the exploited vulnerability, and assess the intrusion’s scope. The company formally notified the Dutch data protection authority (Autoriteit Persoonsgegevens) and announced plans to file a criminal complaint with law enforcement upon completing its internal investigation. Impacted customers received direct notifications advising them to reset their NYP account passwords immediately. NYP explicitly warned that the stolen data would likely surface online and be weaponized for fraudulent activities, including phishing campaigns, spam, identity theft, or direct solicitations for payments or additional personal information. The chain singled out “[email protected]” as a confirmed malicious sender to avoid and emphasized vigilance against unsolicited communications referencing the breach. No ransomware deployment or operational disruption to restaurant services was reported, though the scale of exposed personal data raised significant fraud risks for affected individuals.