Over One Million Customer of Pizza Hut Australia Details Compromised in a Massive Data Leak, But ShinyHunters Threat Group Claimed to be Behind it

Continue reading
In what has been a troubling year for Australian citizens concerned about their personal information, another cybersecurity incident has come to attention. This time, the victims are reportedly over a million customers of Pizza Hut Australia. The threat actors behind this data breach have identified themselves as the notorious ShinyHunters threat group.
ShinyHunters, under the moniker “Shiny,” claims to have infiltrated Pizza Hut Australia's systems approximately one to two months ago. Their point of entry? Amazon Web Services (AWS), which they leveraged through multiple access points. What's particularly alarming is that they assert that their presence was completely undetected during this period of unauthorized access.
In 2020, the ShinyHunters gang gained infamy due to a series of cyberattacks that compromised the security of over 60 companies. Among their corporate targets were online dating platforms, a service for creating photo books known as Chatbooks, and even stock-trading services.
Even tech giant Microsoft wasn't spared, as the group managed to pilfer more than 500GB of source code from Microsoft's confidential GitHub repository.
Despite law enforcement efforts to apprehend suspected members of this hacking group, ShinyHunters remains an ongoing concern for businesses entrusted with the critical task of safeguarding their customers' sensitive information.
The scale of this breach is staggering. ShinyHunters declares that they have successfully exfiltrated more than 30 million records. Among this treasure trove of data are customer orders and information pertaining to over one million Pizza Hut Australia customers. This includes a detailed breakdown of order history, delivery preferences, and contact details.
To substantiate their claims, ShinyHunters provided DataBreaches with two sample files. The first file contained 200,000 records of customer orders, encompassing a wide array of information, such as order IDs, customer names, contact information, payment details, and even web hook URLs. This information was startlingly comprehensive.
The second sample file was in JSON format and contained the personal information of 100,000 customers. It included their names, email addresses, postal addresses, mobile phone numbers, service preferences (delivery or pickup), and credit card numbers. Although the credit card data was encrypted, it is concerning that other sensitive fields were stored in plaintext.
We conducted spot checks on customer names and discovered individuals whose details matched the geographic location provided in the data samples. This corroborates the authenticity of the stolen data. ShinyHunters has issued a ransom demand, seeking $300,000.00 in exchange for deleting all the compromised data. It's worth noting that ShinyHunters is known for selling or leaking data when their demands are not met. Thus far, Pizza Hut has not responded to their extortion attempts.
ShinyHunters' demand for a $300,000.00 ransom underscores the financial motivations behind this data leak. Organizations must develop incident response plans that include strategies for dealing with extortion attempts. Engaging with law enforcement and cybersecurity experts is crucial in such situations.
The presence of a "StoreID" field in the data raises questions about data management within franchise models. Security professionals should work closely with franchisees to ensure consistent cybersecurity practices and data protection measures across the entire network.
The absence of any data breach notification on Pizza Hut Australia’s website is a significant oversight. Security professionals should emphasize the importance of timely and transparent communication with affected customers, regulators, and law enforcement agencies during and after a breach.
In the wake of the data breach affecting Pizza Hut Australia, the company has taken several steps to address the situation. Let's examine their response from a cybersecurity perspective:
Pizza Hut Australia reacted promptly by notifying affected customers via email. Timely notification is a crucial component of incident response, helping individuals take necessary precautions to protect themselves from potential threats.
The company's communication emphasized no evidence of personal information misuse and that the exposed data cannot directly lead to identity theft or fraud. This transparency helps mitigate panic among affected customers and demonstrates a commitment to their security.
Pizza Hut Australia reported the breach to the Australian Information Commissioner. This is a legal obligation in many jurisdictions and showcases the organization's commitment to complying with data protection regulations.
Pizza Hut's assurance that credit card details remain secure due to processing by an approved payment platform is reassuring. It underscores the importance of secure payment processing mechanisms as an additional layer of defense against data breaches.
Encouraging customers to remain vigilant regarding suspicious emails, SMS messages, and phone calls is a proactive measure. Education and awareness are critical aspects of cybersecurity, as they empower individuals to identify and report potential threats.
Pizza Hut Australia advises customers to report scams to Scamwatch. This collaborative approach to combating fraud and cybercrime is commendable. It leverages established authorities to investigate and take action against threat actors.
Pizza Hut Australia data breach, attributed to the ShinyHunters threat group, leaves a persistent impact experienced by fast food restaurant chains. This incident underscores the need for a comprehensive and proactive approach to cybersecurity, including: Cloud Security: Rigorous assessment of cloud infrastructure and access controls is imperative to prevent unauthorized access via cloud platforms like AWS. Data Protection: Strong encryption and hashing practices should be employed to safeguard sensitive information, especially when stored in plaintext. Incident Response: Organizations must develop robust incident response plans that encompass strategies for handling ransom demands and engaging with law enforcement. Franchise Collaboration: For businesses with franchise models, consistent cybersecurity practices and data protection measures should be enforced across the entire network. Communication: Timely and transparent communication with affected parties, regulatory bodies, and law enforcement is critical in mitigating the fallout of a data breach. As the threat landscape continues to evolve, proactive measures and a commitment to best practices are essential for organizations to protect themselves and their customers from the ever-present threat of cyberattacks.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been