[UPDATE: Hell Pizza has now emailed customers to inform them of the situation, and to suggest they change their login if they use the same password for other websites; see copy in the Comments section below. - CK]
He knows what you ate last summer.
A hacker's claim to have stolen a large slice of Hell Pizza's customer database appears to be correct - at least in part.
Writing on the security website Risky.Biz, Patrick Gray, who appears to have an inside line on the world of security testers and hackers, wrote he understood that "multiple intruders have compromised Hell Pizza's 400mb database".
The database entries include the full names, addresses, phone numbers, email addresses, passwords and order history for the company's customers is "doing the rounds", wrote Mr Gray.
It is said to hold up to 230,000 entries. The chain has 64 stores in New Zealand, nine Australia and three in the UK.
NBR spoke to Hell Pizza director Warren Powell this afternoon, who confirmed that Mr Gray had sent him four customer entries - two from 2004 and two from 2005 - and that they seemed genuine.
But whether the hackers had 230,000 database entries as claimed, the director said "the honest fact is we just don't know".
Mr Powell said the database did reveal a person's address, and what pizzas they ordered.
But the director sought to play down the possible breach, saying the offending appeared to be historic, and did not involve any credit card information.
"Everybody gets hacked into, even the Pentagon," Mr Powell said. "That's why we keep them separate."
The potentially stolen data was "of no value to anyone", the director said.
Mr Powell - part of a group of founders who sold Hell Pizza's New Zealand operation in 2006 then recently brought back control - said a new database system had been put in place six months ago. Further system upgrades were to be put in place next week.
If Mr Gray had any information about the hacker he should supply it to Hell, said Mr Powell, who would take to police.
Hell needs to notify customers
"Even if the data is old, and may in fact not be usable on the new site as Warren says, I'm less than impressed with such weak security", IT commentator Juha Saarinen told NBR.
"It's unacceptable that people's privacy is being compromised in this manner
"Some people use the same password for other sites like TradeMe and online banking.
"Once you have access to that, you can get password resets from just about everywhere, and further compromise accounts.
Hell should notify all customers that their passwords had been potentially breached, Mr Saarinen said.
This article is tagged with the following keywords. Find out more about MyNBR Tags
- Trump encourages Russian hackers to release Clinton emails
- Trustpower tax ruling: Government needs to act to clarify law for other firms
- Freightways chief pooh-poohs suggestion of headwinds
- While you were sleeping: Dollar gains on Fed
- Suburban intensification and sprawl outside city boundary - Unitary Plan
Most listened to
- Government will need to tidy up tax law in wake of Trustpower case
- Abano CEO Richard Keys on why his company doesn't have to pay top dollar for dental practices
- The Unitary Plan will change the face of Auckland. NBR reporter Sally Lindsay looks at the changes
- Rabobank's newly appointed CEO Daryl Johnson answers seven key questions on this agriculture industry
- In Editor's Insight, Nevil Gibson examines new revelations about downing of Flight MH370