Pizza Hut
Pizza Hut suffered a breach and failed to disclose it for two weeks. Famartin/Wikimedia commons

Pizza Hut recently disclosed it experienced a data breach earlier this month that may have exposed its customers’ personal and financial information including credit card numbers.

The unauthorized access to Pizza Hut’s servers originally occurred on Oct. 1. Consumers who may have been affected by the breach were not informed for at least two weeks, with the first notifications being sent out on Oct 14.

According to the notification sent out to customers, Pizza Hut the data breach stemmed from a vulnerability on the company’s website. The intruder had access to the company’s internal servers for about 28 hours before access was identified and cut off.

While the hacker was in the pizza chain’s systems they were able to access payment information from customers who placed orders via the Pizza Hut website and mobile app during the time of the unauthorized access.

In its statement, the company a “small percentage” of its customers had their data exposed. Pizza Hut estimated “less than one percent” of visits to its website during the week of the breach were affected. According to the Sacramento Bee, a Pizza Hut call center operator said the data breach is believed to have affected about 60,000 customers.

After learning of the breach, customers of Pizza Hut took to social media to voice their displeasure not only at the breach, but at the two week period during which the company held out on informing the public.

While it’s often considered best practices to inform people as soon as possible to ensure that consumers can take action to protect their information—especially when financial information is at risk—there are legitimate reasons for holding off on disclosure, including tipping off other hackers about a potential vulnerability before it is patched and risking further breaches.

Javvad Malik, security advocate at AlienVault, told International Business Times, “Compared to many recent breaches, Pizza Hut detected the breach relatively quickly, and so limited the number of customer card details stolen. It goes to illustrate the importance and value of having good threat detection and response controls in place to limit exposure.”

Marco Cova, the senior security researcher at Lastline, was less convinced that Pizza Hut did everything in its power to respond to the breach in an expedient way that protected its customers.

“While Pizza Hut is suggesting this breach wasn’t particularly serious in terms of the volume of customers affected, there are certainly some best practices that were not implemented around this breach,” Cova said.

The security researcher explained that waiting two weeks to inform affected users means that “the individuals were unable to block or change their cards, which in turn meant that the fraudulent data stolen facilitated further cybercrime in the form of credit card fraud, which is always the worry with data breaches.”

Cova suggested that companies learn from the mistakes of how other companies have handled breaches and “should endeavor to tell the individuals what’s happening as soon as possible, and invest in the appropriate breach-detection services to stop cybercriminals before they access the data in the first place.”