Personal details of pizza customers in New Zealand have been exposed following the hacking of a customer database.
According to the New Zealand Herald, the database at Hell's Pizza was cracked revealing passwords, emails, home addresses and phone numbers of around 230,000 customers. It sent an email to those possibly affected requesting that they change their password, where director Stu McMullin claimed that it had been ‘approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation'.
The email read: “The samples that we received included details of four customers from 2006, including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website.
“Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website).
“We apologise for the incident and any inconvenience that this may have caused.”
Director Warren Powell said it was a massive concern for the company, who had still failed to locate the source of the breach but suspected a former ‘rogue employee' might be to blame.
He told the Herald: “We are honestly taking this very seriously. The last thing we have wanted to do is inconvenience our customers. We take customers' personal details bloody seriously and we spend a lot of money on security. We have been working 24/7 on this for some time and have not found a breach.”
Stephen Howes, CEO of GrIDsure, said: "The potential security breach of Hell Pizza yet again exposes the inherent frailty of passwords as a method of authentication and illustrates the risk of using the same password for numerous websites and online banking. However, users really aren't to blame because recommended ‘strong passwords' are just not very easy to remember, especially when you are advised to use a different password for every web-site you visit. This is clearly highlighted by the ‘forgot my password' feature present on the password login screen.
“Passwords can be compromised through various forms of attack, including shoulder-surfing, key-logging and screen-scraping. In order to genuinely improve security, organisations need to abandon login systems based on fixed passwords and PINs and replace this flawed method of authentication with a one-time passcode method. By making this change, organisations will reduce cases of data loss and identity theft while also saving money and improving customer satisfaction to boot.”
Graham Cluley, senior technology consultant at Sophos, said: “You should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if the bad guys scoop up your password in one place they can try it in many other places. If it gets hacked (like in the Hell Pizza example) then cybercriminals could use it to access your other online accounts - webmail, PayPal, Amazon and so on.”