If you're a pizza fan, it might be time to keep an eye on your credit card statements. Pizza Hut Australia last night appears to have fallen victim to hackers going by the names of Oday and Pyknic (Update: Pizza Hut CEO confirms breach, read on for full statement). The hackers defaced the website last night, but what's more concerning is the claim that they made off with 260,000 Australian credit card numbers. That's some serious dough.
Whirlpool Forum users were the first to notice the hack, before Reddit Australia started to take notice. The website was restored at the time of publication, but around 15 hours ago the website looked like this:
Atrocious web design aside (seriously, take more pride in your work) the message that scrolls across the screen claims to have nabbed vital credit card numbers and customer account details:
Dear Pizza Hut,
It has come to our attention that we have absolutely ripped apart your internal security systems. Do you want to know what we took? ~240,000 Australian credit cards, 60,000 Australian members, your dignity.
Woopsies (sic) :C
Interestingly, the defaced site included a bright, shiny link to rival company Dominos Pizza. That's sure to cheese-off the supreme overlords at Pizza Hut.
This might put your mind at ease about the state of your dough, though: the restaurant told us this morning that it's simply impossible for the hackers to have obtained credit card information from customers, simply because it doesn't hold them internally. As per PCI DSS rules, credit card numbers are handed off to a secure, authorised, third-party to process and store transactions so that when these incidents go down, hackers don't walk off with the whole pie.
The claim that hackers took account details though remains out in the open. Best to change your passwords just in case.
Update: Pizza Hut general manager Graeme Houston has confirmed the breach. Here's his statement in full:
"Pizza Hut can confirm that a layer of its website, pizzahut.com.au, was breached with access gained to names and contact information, including email addresses.
We are working with our website providers to conduct a thorough investigation of the matter and have also reported the incident to the Office of the Australian Information Commissioner. We would like to reassure all of our customers that absolutely no credit card information was stolen and there is no need for concern regarding credit cards.
The security of our online ordering system has not been compromised in any way and our customers can continue to order online in the knowledge the ordering system is secure."