Hell Pizza: customer database could have been hacked

[UPDATE: Hell Pizza has now emailed customers to inform them of the situation, and to suggest they change their login if they use the same password for other websites; see copy in the Comments section below. - CK]

He knows what you ate last summer.

A hacker's claim to have stolen a large slice of Hell Pizza's customer database appears to be correct - at least in part.

Writing on the security website Risky.Biz, Patrick Gray, who appears to have an inside line on the world of security testers and hackers, wrote he understood that "multiple intruders have compromised Hell Pizza's 400mb database".

The database entries include the full names, addresses, phone numbers, email addresses, passwords and order history for the company's customers is "doing the rounds", wrote Mr Gray.

It is said to hold up to 230,000 entries. The chain has 64 stores in New Zealand, nine Australia and three in the UK.

NBR spoke to Hell Pizza director Warren Powell this afternoon, who confirmed that Mr Gray had sent him four customer entries - two from 2004 and two from 2005 - and that they seemed genuine.

But whether the hackers had 230,000 database entries as claimed, the director said "the honest fact is we just don't know".

Mr Powell said the database did reveal a person's address, and what pizzas they ordered.

But the director sought to play down the possible breach, saying the offending appeared to be historic, and did not involve any credit card information.

"Everybody gets hacked into, even the Pentagon," Mr Powell said. "That's why we keep them separate."

The potentially stolen data was "of no value to anyone", the director said.

Mr Powell - part of a group of founders who sold Hell Pizza's New Zealand operation in 2006 then recently brought back control - said a new database system had been put in place six months ago. Further system upgrades were to be put in place next week.

If Mr Gray had any information about the hacker he should supply it to Hell, said Mr Powell, who would take to police.

Hell needs to notify customers
"Even if the data is old, and may in fact not be usable on the new site as Warren says, I'm less than impressed with such weak security", IT commentator Juha Saarinen told NBR.

"It's unacceptable that people's privacy is being compromised in this manner

"Some people use the same password for other sites like TradeMe and online banking.

"Once you have access to that, you can get password resets from just about everywhere, and further compromise accounts.

Hell should notify all customers that their passwords had been potentially breached, Mr Saarinen said.

This article is tagged with the following keywords. Find out more about My Tags

Post Comment

19 Comments & Questions

Commenter icon key: Subscriber Verified

All customers? Surely you mean all those who logged on to the website?

Reply
Share

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation. The samples that we received included details of four customers from 2006, including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website.
We apologise for the incident and any inconvenience that this may have caused.

Sincerely,
Stu McMullin – Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database and we have only included you for the purposes of this notification.

Reply
Share

Wait till the media (I guess you) finds out that hell don't verify credit card details properly (try and order a pizza and "forget" your Credit Card Verification number or enter an invalid one..) or store credit card information properly on their website.

Reply
Share

I used to work for Hell Pizza, and we used to write customers’ credit cards detail in papers when eftpos were busy. Anyone could easily pass on those credit cards detail to fraudulent people to use them.
Hell Pizza is very deceptive, they sell very expensive pizzas at Hell stores but at the same time they also sell cheap pizzas under the name of Spawn, which many customers don’t know it’s actually part of Hell – very sneaky indeed.
Not to mention their products are frozen, so after all they are no different from Pizza hut or Domino, in fact Domino pizzas are value for money.

Reply
Share

I prefer Thai.

Reply
Share

What the hell's going on with Hell Pizza?

Reply
Share

As a regular customer of hell pizza via the web, I had not received the above e-mail from them.

Are they storing passwords in plain text? Is it possible the passwords have been compromised. That e-mail I never received actually says nothing. Police informed - woo hoo, lets get the cyber police onto the haxxors.

A while back I received an e-mail from a store that had been a hell pizza store before ditching the franchise, clearly they had got my e-mail from the Hell customer database.

Very disappointed with Hell - and will not use them again.

Reply
Share

Who really cares? most people can gain that information by going to the library...

If you use the same password to log on to a pizza site as you do your bank your a flaming idiot.. and you full deserved to have your bank hacked and all your dollar bills yal stollen

Reply
Share

I'll be angry as hell, if the hackers use the hacked data to order my favourite pizza. It will be a violation of confidentiality, of the very worst kind.

Reply
Share

RJT, you say "Hell have done their best to notify everybody of the situation, it's a pity that the response from some of the ill-informed and unwashed is so negative in the light of open honesty."

Reality is Hell Pizza is notifying customers NOW. There was discussions about this security breach almost 12 months ago. Twelve months to notify customers that their details have been leaked to unkown spammer/scammers is not "their best".

Reply
Share

I use a unique email address for every site I sign upto.

I tweeted the issue and exchanged emails with Hell Pizza several months ago when my Hell email started receiving spam, that their customer list had been compromised.

So I too find it strange that they say they are "unsure".

I haven't received anything recently though, so it doesn't look like the information has been onsold much.

Reply
Share

always funny how something like this brings all out who decide it is an opportunity to simply abuse Hell - above i see people who say it is too expensive - well dont buy it then! then we have people who say they worked there and complain about Hell - well why did you leave / get fired? seems like plenty of sour grapes by plenty. as far as the security breach, it seems to me that Patrick Grey has some kind of axe to grind - he is happy to contact the press with his story, but does not seem to be able to provide any details of the hackers / users of the customer details - looks like someone muck raking to me purely at the expense of Hell. i eat it once a week and it always tastes great

Reply
Share

I emailed Hell in August 2009 requesting an explanation of how my customer detailed had been leaked and they didn't even bother to reply to me. Not sure who was more irritating them or the compromised travel agency the try to blame me rather than accept they had a problem.

Reply
Share

The comment at the end of the email seems strange: "We acknowledge that some of you have asked to be removed from the database and we have only included you for the purposes of this notification."

So some of you asked to be removed from the database and we said we did but actually we didn't just in case we wanted to email you again... Oh and if you asked to be removed for security concerns then sorry, you were right after all.

Reply
Share

Had Hell last night, delicious as always. Got the e-mail, re database, awesome for Hell to let us know what is going on. Fan for ever.

Reply
Share

Its a shame that some people are being so negative towards Hell.
They have done all the right things by alerting their customers.
As they said, no Credit Card info was taken, and all the other info can be found so easily these days anyway.
I reckon Hell have done a fantastic job and I will continue to support them and get all my friends and family to as well.
You rock HELL!!!!!

Reply
Share

I called Hell today requesting that my info to me removed, but they refused saying that they have a full intellectual property over any database they have acquired from customers, and therefore I have no right to ask them to remove my info - how crazy is that.
Not only you pizzas are way too expensive, but your code of practice is certainly mediocre.

Reply
Share

I find it amusing despite so much piffle that my earlier comments have been removed. Perhaps they were too logical for a sensationalist piece of media tripe?

No credit details divulged, literally all you could actually be distressed about losing is logon details to their ordering system (since changed and reset) and someone know what Pizza you like.

Unless you're affiliated with Judaism or Allah and are afraid of your peers discovering your penchant for pork why would you care?

Again I reiterate the provider has emailed, facebooked and responded to all queries openly and honestly as the information has been confirmed to them.

Oh and as for the comparison to Dominoes above? Ridiculous. If you can't appreciate the taste difference it's no wonder you are no longer employed by Hell Pizza.

Reply
Share

This is truly kharma.

After all the crap stunts (they call advertising) Hell play on other people ,religious cultures and companies for this to happen to them is truly pay back.

Could this be another cheap advertising ploy to off load more pizza
by a company thats struggling for market share in a fast food industry.

You certainly have to wonder.

Reply
Share

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot

Forex

Sym Price Change
USD 0.8012 0.0052 0.65%
AUD 0.9077 0.0006 0.07%
EUR 0.6252 0.0028 0.45%
GBP 0.4952 0.0024 0.49%
HKD 6.2173 0.0415 0.67%
JPY 85.2240 0.1390 0.16%

Commods

Commodity Price Change Time
Gold Index 1244.2 5.700 2014-10-20T00:
Oil Brent 85.4 -0.760 2014-10-20T00:
Oil Nymex 82.8 -0.040 2014-10-20T00:
Silver Index 17.3 0.020 2014-10-20T00:

Indices

Symbol Open High Last %
NZX 50 5197.9 5238.9 5197.9 0.68%
NASDAQ 4254.2 4316.9 4258.4 1.35%
DAX 8819.3 8834.7 8850.3 -1.50%
DJI 16373.1 16401.6 16380.4 0.12%
FTSE 6310.3 6320.3 6310.3 -0.68%
HKSE 23073.4 23231.5 23070.3 -0.25%
NI225 15115.3 15115.3 15111.2 -1.66%