Pizza Hut, the pizza restaurant division of Yum! Brands Inc., is the latest in a growing list of fast-food chains to be hacked, as the company admitted that credit card data was stolen from customers two weeks ago.

The hack, which was described on the pizza maker’s website as a “temporary security intrusion” between the morning of Oct. 1 and midday Oct. 2, was claimed to have affected only a small percentage of customers, with Pizza Hut putting the figure at “less than 1 percent.”

Although it didn’t confirm the exact number, it’s believed that about 60,000 people had their details stolen, which included not only their credit card number but expiration date, CVN number and email address — all details hackers would need to go crazy online purchasing anything and everything.

The amount stolen by the hackers is not clear, but some affected by the hack claim to have had large amounts stolen. One person on Twitter wrote that “so @pizzahut sent an email today about a breach that occurred 2 weeks ago. their delay resulted in my bank acct being drained thx to fraud.”

Also unknown at this point is how hackers obtained access to Pizza Huts’ website, but there are some likely causes. Sam Curcuruto, head of product marketing at RiskIQ Inc, told SiliconANGLE that this sort of attacks is a growing trend.

“There’s been a rash of recent incidents in which corporate websites have been hacked to steal sensitive customer data,” he said. “Often, this is a result of servers running unpatched frameworks such as Apache Struts 2, or vulnerabilities related to compromised third-party components such as Javascript, which can be modified upstream and affect all the sites that use it. For instance, RiskIQ has discovered keylogging malware that exploits Javascript of e-commerce software that integrates with websites all around the world. By logging consumer keystrokes, the threat actors behind it could steal the credit card data of online shoppers purchasing items from the affected sites.”

In both cases, he explained, the consequences stem from an affected organization not knowing about the vulnerability that was being exploited beforehand.

“Attackers performing reconnaissance will often look for these unknown, unprotected, and unmonitored assets to use as attack vectors,” Curcuruto added. “With GDPR [the European Union General Data Protection Regulation] taking effect, to avoid harsh penalties, organizations must be able to inventory and detail websites where personally identifiable information is captured and processed. Not only that, but they must also be able to identify where PII is captured by third-parties using their company/brand as a lure (such as ads), verify security of the PII-collecting websites with SSL certificates, and comply with persistent cookie requirements on websites (expiration of less than one year).”

Photo: Basil D Soufi/Wikimedia Commons