Pizza Hut app and 41 Hyatt POS systems breached by hackers

On October 14, 2017, Pizza Hut notified approximately 60,000 customers, via email, that hackers compromised their personal information. The breach occurred on October 1 and 2, but the company waited two weeks to inform customers. The breach lasted about 28 hours, so any person who ordered from Pizza Hut through the mobile app during that time may have been affected.

Cyber criminals stole names, delivery addresses, billing zip codes, credit card numbers, CVN numbers, and email addresses. Although Pizza Hut issued a statement saying it quickly detected the breach and immediately remedied the situation, several customers tweeted comments about how long it took to disclose data breach details. A number of people had their bank accounts drained of funds.

Pizza Hut is considered the sixth largest fast-food chain in the world based on the number of locations globally. It is offering all of the 60,000 individuals potentially impacted by the cyber theft a free credit monitoring service for a year through Kroll Information Assurance LLC.

This is not the first time a large-scale restaurant chain has been targeted by cyber criminals this year. Other restaurants include Arby’s, Chipolte Mexican Grill, and Shoney’s. The recent Sonic breach compromised the private data of approximately five million customers.

Hyatt Hotels Corporation suffers second data breach in two years

On October 17, Brian Krebs reported that Chicago-based Hyatt Hotels Corporation publicly announced a data breach involving 41 of its hotels in 11 countries. China was impacted most, with 18 locations hit. Between March 18 and July 2, 2017, cyber criminals gained unauthorized access to customer payment card information.

Hackers breached POS terminals where information was manually entered or swiped. The cyber criminals stole cardholder names, card numbers, expiration dates, and internal verification codes. Hyatt launched an investigation involving third-party experts, law enforcement authorities and credit card companies.

In 2015, Hyatt was a victim of another data breach, which compromised credit card information at 250 locations within 50 different countries.

Hotels an increasingly target of cybercrime

In an article by data security firm Netsurion, it is reported that cyber criminals are increasingly targeting hospitality chains, mainly due to the type of POS system used. Legacy, i.e. outdated technical systems with integrated POS environments that run unsecured applications, are unable to compete with modern, more stable POS solutions. Adding extra back-office data processors to the mix also makes personal data more vulnerable.

John Chrisly, global CISO for Netsurian, pinpointed five threats that hotel brands and franchisees need to be aware of:

  • Ransomware
  • Remote hacking through third-party vendors
  • Phishing scams targeting customers and hotels
  • Distributed denial-of-service (DDoS) attacks on the hotel network
  • Theft of personal information over public Wi-Fi

The increase in hotel breaches affirms the need for Congress to take a closer look at the information security needs of retailers and hospitality chains when formulating its national cybersecurity regulations.

Protect your retail, restaurant or hospitality chain from cybercrime

IT Governance ITO 27001 factsheetAs cybercriminals find new ways to infiltrate POS systems and mobile apps, it’s becoming more and more necessary to implement an effective information security management system (ISMS). An ISMS is a centrally managed framework for keeping an organization’s private information safe. The policies, procedures, and technical and physical control you put in place will help to protect the confidentiality, availability and integrity of information you process.

ISO 27001 is the international standard describing an appropriate ISMS implementation to protect your organization. To learn more, you can download ISO 27001: The facts. This free guide explains how the Standard works, how to navigate your compliance program, and the benefits of obtaining certification from an ISO 27001-accredited firm.