[UPDATE: Hell Pizza has now emailed customers to inform them of the situation, and to suggest they change their login if they use the same password for other websites; see copy in the Comments section below. - CK]
He knows what you ate last summer.
A hacker's claim to have stolen a large slice of Hell Pizza's customer database appears to be correct - at least in part.
Writing on the security website Risky.Biz, Patrick Gray, who appears to have an inside line on the world of security testers and hackers, wrote he understood that "multiple intruders have compromised Hell Pizza's 400mb database".
The database entries include the full names, addresses, phone numbers, email addresses, passwords and order history for the company's customers is "doing the rounds", wrote Mr Gray.
It is said to hold up to 230,000 entries. The chain has 64 stores in New Zealand, nine Australia and three in the UK.
NBR spoke to Hell Pizza director Warren Powell this afternoon, who confirmed that Mr Gray had sent him four customer entries - two from 2004 and two from 2005 - and that they seemed genuine.
But whether the hackers had 230,000 database entries as claimed, the director said "the honest fact is we just don't know".
Mr Powell said the database did reveal a person's address, and what pizzas they ordered.
But the director sought to play down the possible breach, saying the offending appeared to be historic, and did not involve any credit card information.
"Everybody gets hacked into, even the Pentagon," Mr Powell said. "That's why we keep them separate."
The potentially stolen data was "of no value to anyone", the director said.
Mr Powell - part of a group of founders who sold Hell Pizza's New Zealand operation in 2006 then recently brought back control - said a new database system had been put in place six months ago. Further system upgrades were to be put in place next week.
If Mr Gray had any information about the hacker he should supply it to Hell, said Mr Powell, who would take to police.
Hell needs to notify customers
"Even if the data is old, and may in fact not be usable on the new site as Warren says, I'm less than impressed with such weak security", IT commentator Juha Saarinen told NBR.
"It's unacceptable that people's privacy is being compromised in this manner
"Some people use the same password for other sites like TradeMe and online banking.
"Once you have access to that, you can get password resets from just about everywhere, and further compromise accounts.
Hell should notify all customers that their passwords had been potentially breached, Mr Saarinen said.
This article is tagged with the following keywords. Find out more about MyNBR Tags
- Sky says Roy Morgan's Neon number is too low, reveals On Demand usage
- $100m later, Woosh Wireless goes into voluntary administration
- Christchurch robotics inventor in talks with multi-billion dollar European company
- ASK ME ANYTHING: Orion Health chief executive Ian McCrae
- MARKET CLOSE: NZ shares rise, Sky TV, Orion gain while Tower extends slide
Most listened to
- Can Arvida continue at this pace? CEO Bill McDonald weighs in
- AFT’s Dr Hartley Atkinson says the country will increase overseas revenue but it will be a “drip feed”
- US drone shocks in Pakistan with frightening questions in EgyptAir crash on Foreign Affairs Scope with Nathan Smith
- AMA: Orion boss Ian McCrae delivers 10 quickfire answers to 10 quickfire questions from readers
- Government debt will top out at about 26% of GDP, well below most other countries, says Professor Niall Ferguson