Americans may soon need to change their eating habits or how they pay for meals following another restaurant chain breach, this time Pizza Hut, which took two weeks to alert customers.

The Plano, Texas-based chain sent out notice last weekend to about 60,000 customers they advised should start canceling their credit cards due to a security intrusion, which lasted for about 28 hours, from the a.m. of October 1 to midday on October 2. Data stolen included names, delivery addresses, email addresses, and payment card information including the number, expiration date, and the CVV number.

In its statement to consumers, Pizza Hut said: "Pizza Hut U.S. experienced a brief third-party security intrusion on our website and mobile app that compromised the information of a limited number of customers. Pizza Hut quickly detected the intrusion and immediately took steps to halt it and remediate the security issue. We estimate that less than one percent of the week's traffic was affected. We take the information security of our customers very seriously and invest in resources to protect the customer information in our care. We value the trust our customers place in us, regret that this happened, and apologize for any inconvenience this may have caused."

Recommended For You

Rather than post a statement on its website, though, the chain chose to contact affected customers directly and offered them free credit monitoring service for a year. That didn't go far enough to appease some customers, who voiced displeasure through social media over the two-week delay in notification.

The delay in notification is a recurring theme that continues to rise up following merchant breaches. "American consumers deserve better from the companies they've entrusted with their financial information," NAFCU President and CEO Dan Berger has said about these types of breaches. "Our country should already have a national data security standard in place for retailers and merchants, but we don't and it's extremely frustrating. How many more data breaches do consumers need to suffer before these companies are held accountable?"

Berger reiterated that it is credit unions and other financial institutions that help consumers after a merchant data breach. "It's going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer's checking account, or reissues the cards, and all those costs fall back on the financial institutions," he said.

Marco Cova, senior security researcher at Redwood City-based cybersecurity firm Lastline voiced similar concern. "While Pizza Hut is suggesting this breach wasn't particularly serious in terms of the volume of customers affected, there are certainly some best practices that were not implemented around this breach. Waiting two weeks to inform the users affected means that the individuals were unable to block or change their cards, which in turn meant that the fraudulent data stolen facilitated further cybercrime in the form of credit card fraud, which is always the worry with data breaches. Companies should learn from this mistake, and should endeavor to tell the individuals what's happening as soon as possible, and invest in the appropriate breach-detection services to stop cybercriminals before they access the data in the first place."

Why are so many merchants victimized? "There's been a rash of recent incidents in which corporate websites have been hacked to steal sensitive customer data," Sam Curcuruto, head of product marketing a digital threat management firm San Francisco-based RiskIQ, said. He added this results from servers running unpatched frameworks such as Apache Struts 2, or vulnerabilities related to compromised third-party components, such as JavaScript, which might affect all the sites that use it if modified upstream. "For instance, RiskIQ discovered keylogging malware that exploits Javascript of e-commerce software that integrates with websites all around the world. By logging consumer keystrokes, the threat actors behind it could steal the credit card data of online shoppers purchasing items from the affected sites."

Curcuruto submitted the ruinous consequences stem from affected organizations not knowing about exploitable vulnerabilities. "Attackers performing reconnaissance will often look for these unknown, unprotected, and unmonitored assets to use as attack vectors." 

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).