He knows what you ate last summer… A hacker has claimed to have stolen a large slice of the Hell Pizza customer database.

Writing on a security website Risky Biz, Patrick Gray, who appears to have an inside line on the world of security testers and hackers, wrote he understood that “multiple intruders have compromised Hell Pizza’s 400mb database”.The database entries include the full names, addresses, phone numbers, email addresses, passwords and order history for the company’s customers is “doing the rounds”, wrote Mr Gray.

It is said to hold up to 230,000 entries. The chain has 64 stores in New Zealand, nine Australia and three in the UK.

NBR spoke to Hell Pizza director Warren Powell this afternoon, who confirmed that Mr Gray had sent him four customer entries – two from 2004 and two from 2005 – and that they seemed genuine.

But whether the hackers had 230,000 database entries as claimed, the director said “the honest fact is we just don’t know”.

Mr Powell said the database did reveal a person’s address, and what pizzas they ordered.

But the director sought to play down the possible breach, saying the offending appeared to be historic, and did not involve any credit card information.

“Everybody gets hacked into, even the Pentagon,” Mr Powell said. “That’s why we keep them separate.”

The potentially stolen data was “of no value to anyone”, the director said.

Mr Powell – part of a group of founders who sold Hell Pizza’s New Zealand operation in 2006 then recently brought back control – said a new database system had been put in place six months ago. Further system upgrades were to be put in place next week.

If Mr Gray had any information about the hacker he should supply it to Hell, said Mr Powell, who would take to police.

“Even if the data is old, and may in fact not be usable on the new site as Warren says, I’m less than impressed with such weak security”, IT commentator Juha Saarinen told NBR.

“It’s unacceptable that people’s privacy is being compromised in this manner

“Some people use the same password for other sites like TradeMe and online banking.

“Once you have access to that, you can get password resets from just about everywhere, and further compromise accounts.

Hell should notify all customers that their passwords had been potentially breached, Mr Saarinen said.

25/7 UPDATE: Hell Pizza has now emailed customers to inform them of the situation, and to suggest they change their login if they use the same password for other websites; this email is copied below:

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation.  The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint.  Hell
recognises the importance of protecting customer information and additional
security measures were implemented earlier this year when our new website
was rolled out (again, we reiterate that this is not an issue affecting the
new website). As a further security measure your may wish to consider
changing your passwords on other sites if they were the same as the old
Hell Pizza website.

We apologise for the incident and any inconvenience that this may have
caused.

Sincerely,
Stu McMullin – Director Hell Pizza

Sources ~ Trudi Nelson and NBR

Print Friendly

LEAVE A REPLY