[UPDATE: Hell Pizza has now emailed customers to inform them of the situation, and to suggest they change their login if they use the same password for other websites; see copy in the Comments section below. - CK]
He knows what you ate last summer.
A hacker's claim to have stolen a large slice of Hell Pizza's customer database appears to be correct - at least in part.
Writing on the security website Risky.Biz, Patrick Gray, who appears to have an inside line on the world of security testers and hackers, wrote he understood that "multiple intruders have compromised Hell Pizza's 400mb database".
The database entries include the full names, addresses, phone numbers, email addresses, passwords and order history for the company's customers is "doing the rounds", wrote Mr Gray.
It is said to hold up to 230,000 entries. The chain has 64 stores in New Zealand, nine Australia and three in the UK.
NBR spoke to Hell Pizza director Warren Powell this afternoon, who confirmed that Mr Gray had sent him four customer entries - two from 2004 and two from 2005 - and that they seemed genuine.
But whether the hackers had 230,000 database entries as claimed, the director said "the honest fact is we just don't know".
Mr Powell said the database did reveal a person's address, and what pizzas they ordered.
But the director sought to play down the possible breach, saying the offending appeared to be historic, and did not involve any credit card information.
"Everybody gets hacked into, even the Pentagon," Mr Powell said. "That's why we keep them separate."
The potentially stolen data was "of no value to anyone", the director said.
Mr Powell - part of a group of founders who sold Hell Pizza's New Zealand operation in 2006 then recently brought back control - said a new database system had been put in place six months ago. Further system upgrades were to be put in place next week.
If Mr Gray had any information about the hacker he should supply it to Hell, said Mr Powell, who would take to police.
Hell needs to notify customers
"Even if the data is old, and may in fact not be usable on the new site as Warren says, I'm less than impressed with such weak security", IT commentator Juha Saarinen told NBR.
"It's unacceptable that people's privacy is being compromised in this manner
"Some people use the same password for other sites like TradeMe and online banking.
"Once you have access to that, you can get password resets from just about everywhere, and further compromise accounts.
Hell should notify all customers that their passwords had been potentially breached, Mr Saarinen said.
This article is tagged with the following keywords. Find out more about MyNBR Tags
- Parent, widow of Pike River casualties fail to force review of decision to drop charges against Whittall
- Tech expert's complaint about 'snake oil' ad upheld
- iPredict decision the work of 'officious aliens' – Crampton
- Court Report: Dotcom hearing wraps up
- High Court hears allegations over redacted report in Trends R&D funding case
Most listened to
- Tim Hunter on why Veritas is doing it the hard way
- Matthew Hooton on whether Steven Joyce will be the next national leader
- Rodney Hide on why all city planners should be fired
- Nevil Gibson discusses his latest Editor's Insight on films
- The NBR crew throw around some of the week's top stories
- Rob Hosking breaks down the political and economic week that was
- "A tragedy" - David Farrar on his disappointment with Simon Bridges
- New F&P product pipeline exciting, says Macquarie senior investment adviser Brad Gordon
- Taupo Motorsport Park executive director Tony Walker on the park's rebranding
- NZIER senior economist Christina Leung on why she does not think the OCR will hit 2%
- NBR's Cameron Officer talks about the NBR Car of the Year 2015
- John Barnett on Brewer: ‘Boy, has he got a bit to learn’