Which is worse: a large data breach or a data protection watchdog that has a history of having no bite?

In early September 2023, Pizza Hut’s Australian division suffered a cyberattack that compromised customer data, including delivery addresses and order details, potentially affecting around 193,000 customers of the 260 restaurants in the country.

While the fast-food chain’s operations remained unaffected by the attack, the incident was reported to the country’s data security agency, the Office of the Australian Information Commissioner (OAIC).

The compromised data comprised the following sensitive data and personally-identifiable information (PII) including customer names, email addresses, phone numbers, delivery details, pizza order details, encrypted credit card numbers and encrypted passwords. All affected customers have been contacted and advised to take steps to protect their information and avoid potential scams leveraging the stolen data.

Pizza Hut Australia’s CEO, Phil Reed, has acknowledged that the incident has occurred, and has revealed that an investigation is underway with the help of forensic and cybersecurity specialists. No details have been revealed about how far back the data leaked dates to.

The most recent cybersecurity incident in the international franchise had occurred in 2017, where Pizza Hut USA lost some customers’ credit card numbers. Calling the 28-hour vulnerability period a “temporary security intrusion,” the firm was taken to task by customers for informing them of the breach only weeks later.

Commenting on the latest incident, Debrup Ghosh, Senior Product Manager, Synopsys Software Integrity Group: “Protecting sensitive customer data is extremely important because this type of information getting leaked often leads to reputation risk for the organization, whether it is PII or credit card transactional data protection required by the Payment Card Industry Data Security Standard (PCI DSS) standard. Companies have a responsibility not only to their shareholders but also customers to protect this data, as very often the lack of action can not only lead to lack of consumer trust in the brand but also have direct financial impacts with fines and class action lawsuits.” 

The OAIC had come under fire in the past for its “lengthy delays”, “funding constraints”, limited staff strength and other public complaints.