in

3,978,432 Emails Breached by Pizza Hut – The Case of The Missing Zeros

22nd April 2021, TurgenSec Limited, Public Statement v1.0

Summary

TurgenSec became aware of a publicly accessible datastore which belonged to a Franchisee of Pizza Hut Indonesia or Pizza Hut Indonesia itself. The breach contained 3,978,432 unique email addresses and multiple data headings that Pizza Hut Indonesia disputes contains real data. The data breach was estimated to be almost 65GB in size.

This breach was accessed and downloaded by an unknown third party. 

The information was left public facing where anyone with a browser and internet connection could access if they knew where to look.

Potential sensitive data headings:

Pizza Hut Indonesia claims that most of the data fields do not contain detailed customer’s information (especially for matters concerning customers’ financial / bank data, historical transaction, and incomplete / inaccurate phone numbers and addresses).

The below headings is a selection of all the data headings that are contained within this breach.

  • store code, 
  • loyalty point, 
  • name, 
  • email, 
  • password, 
  • First name, 
  • last name, 
  • phone, 
  • alt phone, 
  • gender, 
  • birthday, 
  • street address, 
  • first order date, 
  • customer id, 
  • bank_code, 
  • bank_branch_code, 
  • Bank_account_number.

TurgenSec Response

We encourage Pizza Hut Indonesia to submit the breached data to digital forensics specialists to ascertain the true extent of this data breach.

We also encourage Pizza Hut Indonesia to inform any relevant regulatory body, especially if there are UK or EU citizens data contained within the breach, as these should be reported to the local regulator (ICO in the UK). And to issue a public disclosure of this data breach explaining how this datastore breach occurred, including the full extent of what was breached so that the impacted individuals can take the necessary steps to protect themselves.

The Disclosure

We originally disclosed this to Yum (parent company of Pizza Hut), who informed the data custodian in question of the potential breach. They swiftly closed the potential data breach and informed us that the party in question would contact us to answer any further questions we had around informing those impacted. 

We applaud Yum for their swift response to closing up this potential breach and their security team for responding swiftly. 

After some follow ups we managed to get in touch with the data custodian in question, Pizza Hut Indonesia. We conversed with Pizza Hut Indonesia trying to understand the extent of data breached. 

They informed us the breach was caused by an unintentional uploading, by a third-party service provider, who uploaded from their development servers.

They informed us that despite headers existing for financial data (see above), these were not populated and data did not contain financial, banking, transactional or credentials such as passwords. 

They also informed us of various strange occurrences such as that all the 0’s had been removed from the phone numbers contained within the data, and that the addresses contained were inaccurate. 

We raised the number of emails contained within the breach with them and they could not confirm whether the quantity of emails contained within the breach belonged to customers. 

They informed us that they had complied with the IT Security Policies and Procedures in Indonesia and that they do not consider this a data breach. 

TurgenSec could not get assurance that the potential customers’ within this data breach had been informed of the potential data breach and been able to take actions to protect themselves. 

Email addresses are a key target for spamming and phishing campaigns that disproportionality impact the most vulnerable in society. Informing customers of when their data has been breached allows them to be on high alert for these attacks and take steps to protect themselves. 

Being open and honest with customers creates an environment where consumers trust businesses to act appropriately putting their data rights first. We understand that legislation around the world requires companies to take different steps when a potential breach occurs, but following the minimum legal requirements, particularly when legislation often lags behind real life, is not an appropriate level of respect for users’ data rights.  

Archive of statement updates

  • 22nd April 2021 – Disclosure Published

Afterword

Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.

No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database. 

Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide the column headings of the breached data in “Potential sensitive data headings”. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.

Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would directly benefit the UK & international community through the global reduction of cyber crime.