Yes, but...
The message says to change your password, but I spent a good 20 minutes on the site last night trying to work out how and where, and was unable to do so...
Pizza Hut has warned members of its loyalty scheme "Hut Rewards" not to re-use passwords after hackers managed to access some customer accounts. The fast-food chain, which also suffered a breach stateside in 2017, believes that miscreants got hold of details from elsewhere and then used them to access Pizza Hut systems. The …
Glad it wasn't just me that could find the change password option! I finally worked out that you could log out, then at the login screen use 'forgot password' to reset it.
However I already *do* use unique passwords for each site so I'm not entirely buying their third party websites argument...
I couldn't even remember my password and had to reset it so not one I had used elsewhere, I tried all those. And not possible this was cred stuffing as I have a unique email for their site, advantages of having a domain.
Also my 1 pizza slice I didn't know I had is still there, for what it's worth.
If you did not get hacked, it is because you did not set your password to "password". The people who did - or who used "142857pizzahut" alongside "142857amazon" and "142857classadrugs" - are the victims. Your totally cryptic password is probably safe, but, change it anyway to a good one, a different one. Then spend a year failing to remember it...
However, the apparent failure to hack all of the customer accounts and the corporate network could be a ruse, where actually that has happened, but to conceal it, they are only abusing the accounts with less safe passwords, just now.
The message says to change your password, but I spent a good 20 minutes on the site last night trying to work out how and where, and was unable to do so...
Duh, change your password on all the other sites where you reused it. The loss of loyalty points redeemable for Pizza Hut pizza's could be seen as its own reward
Breach notification isn't mandatory under GDPR despite what some seem to believe. Its dependent on the nature of the breach, the information concerned and the risk of prejudice to the individual the data relates to.
Based on the information here I doubt its a mandatory report but Pizza Hut might report anyway, particularly if there is more to the story than has been disclosed
The accounts have been compromised, I'm assuming that the account holder's information, like name are held under the account, so PII would have been leaked. So, yes, it would fall under GDPR.
On the other hand, this wasn't a system breach, it looks like it was user stupidity that let the hacker in, so there would be a mitigating circumstance for PH to avoid a fine.
Third party gaining access to PII = an incident
Reporting an incident != receiving a fine.
"The accounts have been compromised, I'm assuming that the account holder's information, like name are held under the account, so PII would have been leaked. So, yes, it would fall under GDPR."
The point was, you only need to inform the data *subject* of the breach under certain circumstances, i.e. "[the] data breach is likely to result in a high risk to the rights and freedoms"
https://gdpr-info.eu/art-34-gdpr/
From the ICO's website:
"A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO."
Note the bit at the end about "You do not need to report every breach to the ICO".
You are right, you do not need to report every data breach. It depends on the size and impact of the data breach.
But the definition of the "data breach" is still vague, and the industry has not one valid definition. A data breach can be anything from one record to many. So, that is why you do not need to report every data breach.
I wrote a little article on the topic: https://www.securityscientist.net/what-is-a-data-breach-an-investigation-into-data-breach-definitions/
Interesting to see how the GDPR definition compares to the others from the cybersecurity industry
“any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein.”
While it is correct that you do not need to report every single data breach to the ICO, you must report any GDPR breach involving personal data, under Article 33. In this case another party was able to access private user data (their "rewards") and thus clearly constitutes a GDPR breach.
No you do not have to "... report any GDPR breach involving personal data, under Article 33". The very article you quote explicitly states that's not the case:
"... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."
Once upon a time... O.K., I'm old, but there really was a time when Pizza Hut was actually among the best of the chain pizza joints, while a certain other chain, often equated with craps, was rumored to use fake cheese, which really did have a mouth feel reminiscent of melted plastic. But, that was then, and we're talking about restaurant chains.
That is why I like our local pizza parlors, they use fresh dough, knead it out in front of you and put fresh ingredients on the pizza.
I think I have eaten 1 Pizza Hut pizza in the last 20 years. It is a similar story for BK and McDonalds, I think I haven't eaten a McDonald's in over 10 years and I had a disappointing burger at BK when travelling to Magdeburg a couple of years ago, before that, it was probably 2006.
Hopefully might cause a few users to change their ways by making them focus on stuff they care about.
Bad guys could gain access to your email – “Meh, it’s mostly junk anyway”
Bad guys could access our corporate data – “Yeah, but it’s not my data!”
Bad guys could claim your free pizza – “What, this is serious! Better change my passwords!”
really? ive found the opposite, find the right indian/kebab shop that are decent and their pizzas way better, more toppings and way cheaper up here. Hell they even do curry pizzas up here, sounds awful, it aint.
Chicken Madras pizza...16" of spicy lovelyness for £12 to your door. £12 wouldnt gett a 10" dominos or hut i dont think, dleivered.
" find the right indian/kebab shop that are decent and their pizzas way better"
I always like dealing with the small shops, not the chains. If they really bollox the order, they will often make it up in spades. I've had that happen and had two larges delivered right away to replace the one that was not right. They bought a lot of loyalty with that fix.
Both Pizza Hut and Dominos have expensive "standard" menu but also always have "offers" on.
Buying from the standard menu would be like buying a sofa from DFS when there isn't a sale on.
BTW this isn't the first time the Hut Rewards thing has a problems - recently some bright spark figured out you could build up points by placing bogus orders and not paying for them. Reminds me of Moonpig's epic security blunder where you just logged in and changed the user id in url...
This post has been deleted by its author
Some people must really really like fast food if they elect to have an 'account' with a supplier of takeaway crap.
Over there, US Presidents, like Clinton, Obama and Trump are notorious for their love of the greaseful stuff, but I doubt even they would open individual accounts to fuel their lusty appetites --- They have too much good taste.
was signing up for a "rewards" program in the first place. Is a free slice of pizza worth getting endlessly spammed? It's not even very good pizza. Since many of my friends don't see the downside to these rewards schemes, I use their phone numbers and names when I shop at place I know they have a card for. I get the immediate discount and they get the points. It's a win win. I also find rewards cards lying about here and there and pick them up and stick them in my wallet. I get the super-saver price at the shop with complete anonymity (I pay with cash).
Back in my innocent youth (ahem), I would get rewards cards and I don't think that I ever amassed enough points with any of them to amount to anything. It's laughable when the fast food joint will give me a coupon for 7p of fizzy drink in exchange for my name, email address and filling out a questionnaire about myself. Really? Puleeze.
Most supermarkets require a loyalty membership to get their sale prices. If you don't carry a card, just key in your phone number.
If I'm memorizing someone else's number, I might as well pick a useful one. I chose the non-emergency number for the city police. Conveniently, this number is already signed up to every loyalty program in town.
"Most supermarkets require a loyalty membership to get their sale prices."
And their sale prices tend to be about the same as the regular prices at supermarkets that don't have a loyalty program. That's why do the majority of my shopping at those places instead of joining a "track all my purchases" program.
First thought from media reports is that as the rated points have been redemed, surely they have the address the pizzas were delivered to? Might be a starting point to find the perp.. (although if the local delivery drivers are typical, they sit on the road and expect you to come out to them..)
I do use pizza Hut occasionally, because they are one of the few places still open at 2-3am.. Plus once you factor in the various offers codes and deals it's not particularly expensive. No sign of my points going missing, but I use a long random and unique password.
I do