Hell Pizza: customer database could have been hacked
[UPDATE: Hell Pizza has now emailed customers to inform them of the situation, and to suggest they change their login if they use the same password for other websites; see copy in the Comments section below. - CK]
He knows what you ate last summer.
A hacker's claim to have stolen a large slice of Hell Pizza's customer database appears to be correct - at least in part.
Writing on the security website Risky.Biz, Patrick Gray, who appears to have an inside line on the world of security testers and hackers, wrote he understood that "multiple intruders have compromised Hell Pizza's 400mb database".
The database entries include the full names, addresses, phone numbers, email addresses, passwords and order history for the company's customers is "doing the rounds", wrote Mr Gray.
It is said to hold up to 230,000 entries. The chain has 64 stores in New Zealand, nine Australia and three in the UK.
NBR spoke to Hell Pizza director Warren Powell this afternoon, who confirmed that Mr Gray had sent him four customer entries - two from 2004 and two from 2005 - and that they seemed genuine.
But whether the hackers had 230,000 database entries as claimed, the director said "the honest fact is we just don't know".
Mr Powell said the database did reveal a person's address, and what pizzas they ordered.
But the director sought to play down the possible breach, saying the offending appeared to be historic, and did not involve any credit card information.
"Everybody gets hacked into, even the Pentagon," Mr Powell said. "That's why we keep them separate."
The potentially stolen data was "of no value to anyone", the director said.
Mr Powell - part of a group of founders who sold Hell Pizza's New Zealand operation in 2006 then recently brought back control - said a new database system had been put in place six months ago. Further system upgrades were to be put in place next week.
If Mr Gray had any information about the hacker he should supply it to Hell, said Mr Powell, who would take to police.
Hell needs to notify customers
"Even if the data is old, and may in fact not be usable on the new site as Warren says, I'm less than impressed with such weak security", IT commentator Juha Saarinen told NBR.
"It's unacceptable that people's privacy is being compromised in this manner
"Some people use the same password for other sites like TradeMe and online banking.
"Once you have access to that, you can get password resets from just about everywhere, and further compromise accounts.
Hell should notify all customers that their passwords had been potentially breached, Mr Saarinen said.