Pizza Lovers Suffer Data Breach From Hell 164
netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"
The Good Old Pizza Times (Score:5, Funny)
The problem was that later on we obviously got hungry. This happened many times. Someone had to go get some food. Pizza was the obvious choice. But who would it be? I didn't want to. So we played a game of rock paper scissors. Damn, I lost. I tried to have an another round, but they didn't let me. There was nothing I could do.
I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?
I arrived at the pizza place. The taste was beautiful. I felt like I was home. I walked in and ordered three large pizzas, mine being the double bacon cheeseburger pizza. I felt so hungry. I just wanted to grab the pizza and eat. When the pizzas came, I had to eat there. I also took a few pieces of my friends pizzas because I wanted to taste them. Man I was happy.
Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket. No problems for the vendor, no problems for me, and everything worked greatly. The lesson being - pay with cash.
Re:The Good Old Pizza Times (Score:5, Funny)
I thought the lesson was..
"Don't let your asshole friend go to get the pizza, cause all he'll bring you home is a couple of cold slices"
What I don't understand... (Score:4, Interesting)
Any shop that tries to get that kind of information out of me gets a flat refusal. Likewise, any venue that tries to take my fingerprints or iris scan.
Re: (Score:2)
Ah, my friend, these days they just digitally map your face using the 10s to 100s of cameras that film you every day. We know who you are, citizen.
Re:What I don't understand... (Score:5, Insightful)
why the hell some outfits feel the need to collect that much information about you just to sell you some food.
Email address: to reset your password if you forget it (you'd want an account so you don't have to type in your address and payment info each time).
Address: should be obvious.
Phone number: to phone in case they don't get an answer at the door.
TFA doesn't mention any extra personal details that were stolen. I don't see what's so crazy about them needing these other details for online ordering.
Re: (Score:2)
I am not sure if they store this info, but Dominos.com lets you pay by credit card on their online form, so that information very likely could be stored. And their pizza is much better to boot. I always get a lower price (the person on the phone is always rushed, hard to compare specials) AND I get points toward free food. Then again, I always use the (*)Cash option I prefer to tip in cash and the price is usually in the $15-$25 range is all. But ordering pizza by phone sucks, costs more and offers you
Re:What I don't understand... (Score:4, Informative)
http://www.bluemaumau.org/police_and_collection_agencies_love_dominos_database_pizza_lovers [bluemaumau.org]
They store it and happily sell it.
P.S. dominoes pizza is nasty. Try a real pizza place like a smaller mom and pop that wants to make quality instead of the cheapest high profit one they can.
Re: (Score:2)
Dominoes Pizza takes pride in the fact that the whore out, I mean sell every aspect of you over and over and over again. Collection agencies can get all your info from them on a subscription basis. Marketing companies also subscribe to their database as well as other companies. They are proud to throw their pizza customers info to the wind for anyone to buy.
Most pizza places do this, they whore out your data left and right.
Re: (Score:2)
Pizza delivery service regularly calls because they can't find the clearly marked house on the clearly marked street.
Why? Because the leading GPS service places the house at the wrong end of the street, and if the GPS doesn't match the terrain, these idiots believe the GPS.
I've heard stories of people who have turned straight into brick walls or worse because their GPS told them, but before I moved here, I discounted these stories as wild exaggerations. Now I'm not so sure anymore.
Re: (Score:2)
Why? Because the leading GPS service places the house at the wrong end of the street, and if the GPS doesn't match the terrain, these idiots believe the GPS.
I've heard stories of people who have turned straight into brick walls or worse because their GPS told them, but before I moved here, I discounted these stories as wild exaggerations. Now I'm not so sure anymore.
Maybe the Darwin Awar
Re: (Score:2)
Their GPS tells them the route to follow, so they mindlessly turn off the busy paved roads onto increasingly rough dirt roads that eventually turn into trails Jeeps struggle to travel over.
Re: (Score:2)
...that much information...
After reading TFA and visiting their website, I find that they don't collect a lot of extra information. The only thing I found unnecessary was gender - which might be a good courtesy measure (I've met a woman with my same name....it's a strange world.)
Lets do less-than-brain-surgery to determine what information is required.
Phone orders:
Name, phone number, address, and the pizza order (size, crust, toppings, side orders, drinks, etc.) and the nearest franchise location. Possibly creating a list of previ
Re: (Score:3, Funny)
I'll say! If I met a woman by the name of Crudely Indecent, I'd have to ask her the name of the movies she's starred in.
Re: (Score:3, Funny)
This coming from "smooth wombat"... asl?
Re: (Score:2)
Maybe the ability to collect and store this came as standard with the system. With nobody ever bothering to ask if it was needed.
Re: (Score:2)
One outfit in my life has _required_ to see my ID, my photo taken and issuing me with a mandatory customer card -- Grand* Casino in Helsinki, Finland. I guess the purpose of this for them to be able to identify any ocean eleven attempters in their glorious mega casino.
(*) Grand: Couple of slot machines and black jack tables.
Taxes and Crimes (Score:2)
It should be obvious that it's for tax purposes and to defeat illegal activity connected with gambling (money laundering).
Tax information is collected automatically here and so are your taxes. Any income from gambling is obviously taxable as well, so the government needs a way to collect that information.
Gambling is strictly regulated in the Scandinavian countries and Finland. We don't like gambling [politically] and it's not wide spread.
I don't think we even have a casino in Norway at all, the lottery is s
Re: (Score:2)
I thought the lesson was..
"Don't let your asshole friend go to get the pizza, cause all he'll bring you home is a couple of cold slices"
No, the lesson is send your asshole friend who can't play rock, paper, scissors for shit to go get fat on pizza while you use his Amiga. Why the fuck should you pay for one? When he gets back with cold pizza refuse to pay cause hey he ate most of it and it's cold, then tell him it's time to go home.
Re: (Score:3, Funny)
I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?
So, PizzaAnalogyGuy, there seems to have been a little bit of a mix-up. This story wasn't supposed to get published till Christmas and your dream story ended up on /.
Between me and you, don't be expecting anything big under the tree in a few months. You can however, cherish this story, and the fact that you got first post on it.
*sips coffee*
Re:The Good Old Pizza Times (Score:5, Funny)
Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket.
Did you have to move aside the onion you wore on your belt as that was the fashion at the time?
Re: (Score:1)
Yes SIR!!!! (Score:2, Funny)
Re: (Score:2, Informative)
replying due to unintentional mod.
Re:The Good Old Pizza Times (Score:5, Insightful)
I thought the lesson was: If you fetch the chow, you're entitled to a service fee, payable in consumables purchased. Hmmm Lemming Pizza :P~
Re: (Score:3, Funny)
I had to get up my ass...
That's got to hurt!
Your story reminds me of a High School job I had making pizzas.
It was years before I could eat a pizza that I didn't make myself.
Security audits? (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Interesting)
I wouldn't be surprised if they just had IT security audits done by KPMG and Ernst & Young while the data was being pulled out by the truckload through a gaping hole, just like the Latvian banks...
Yeah, well, as an auditor (Score:2)
Can you imagine the roll call?
Thompson, you got the banking industry, now make sure you are NOT distracted by those luscious red-headed twins they will send after you or for god sakes, say NO to the bulging envelopes of cash.
William, you got the pizza place down the block. And for god sakes, stay away from their cousin Agnes, she fancies you and the last guy was crushed to death when she jumped on him. Oh, you are a slashdot reader? Then this might be your only chance.
It's a concern... (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
Its actually a really nice place. Without a doubt the best place I have been outside Australia. Their government is small scale, but it seems to work better that way.
Re:It's a concern... (Score:5, Funny)
So you've just been there and Australia then?
Re: (Score:2)
Yeah agreed. Lovely country and I'd agree - best I've been to outside Australia in terms of where I'd want to live. And I've been to: the UK, the US, Canada, France, Singapore, Fiji (and Australia and NZ obviously).
Re: (Score:2)
If you can stomach the institutionalised racism.
Eg; your bereavement leave entitlement depends on your race. If you are 'non-Maori' you get three days. If you are Maori you get 'as much time as you need to fulfil your cultural responsibilities'.
Personally, I abhor this kind of thing; the only time your parentage should be of interest to the government should be on matters of nationality, not bereavement leave.
I'm disgusted with New Zealand.
Re: (Score:2)
Native Americans get benefits. Australian aborigines get subsidies for housing, education, land. All of this is payback for all the raping and pillaging which went on when Europeans were colonizing their land. Its not specific to NZ, though the Maoris are probably in a better state than the other examples I gave. The way they are going, Australian aborigines will hardly exist in a couple of generations.
Re: (Score:2)
Under the UN convention on human rights its not appropriate to punish children for the crimes of their parents.
And in this particular case, even if its 'payback' against New Zealanders of British descent, how about descendants of the newcomers who are of, say Chinese descent and who had nothing to do with the original colonisation? I guess they aren't even covered by the 'treaty of waitangi' and have no rights at all?
Much in New Zealand society appears to be premised on the notion that if your ancestors arr
Re: (Score:2)
Under the UN convention on human rights its not appropriate to punish children for the crimes of their parents.
I don't necessarily think you are wrong but I do think that the provisioning of alcohol to people who have no innate tolerance for it could be construed as chemical warfare. Thats pretty much the situation with Australian aborigines.
Re: (Score:2)
Our (I'm a NZer) government is small scale? Are you serious? It's nothing of the sort. We have an entrenched socialist system here, and as such it is not small scale.
Re: (Score:3, Insightful)
Actually that's 99.936%, sir.
Oh god, I think I just overexnerded myself. :(
Re:It's a concern... (Score:4, Funny)
To be fair, he was including the sheep.
So Hell Pizza requires Facebook/Twitter UID? (Score:1, Redundant)
Re:So Hell Pizza requires Facebook/Twitter UID? (Score:4, Insightful)
A different way to read it is that the other hacks were independent, and the anonymous celeb is saying that Hell is no worse than any of the other organizations which were entrusted with personal information.
Re: (Score:2)
Re: (Score:2)
I think he's indicating that he doesn't care about his personal information because he's already given most of it away on Facebook and Twitter. That, and he's a celebrity - personal life is the coin of that realm.
Re:So Hell Pizza requires Facebook/Twitter UID? (Score:5, Insightful)
Re:So Hell Pizza requires Facebook/Twitter UID? (Score:5, Funny)
the "celebrity" (quotes because we are talking about New Zealand)
Its obviously Russell Crowe
Re: (Score:2)
Re: (Score:1)
Isn't that how Susan Boyle was spawned?
Re: (Score:2)
Maybe he was just using the same keylogger.
SQL Injection (Score:4, Informative)
This isn't news.
Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.
Re:SQL Injection (Score:5, Funny)
Re:SQL Injection (Score:5, Interesting)
"I'd like to order a large, thin crust, double cheese, pepperoni and drop table..."
No clear the table before you place your order so your pizza gets the priority it deserves.
Re: (Score:2)
Re: (Score:2, Funny)
Can't believe nobody's made the "it was all fine until Bobby Tables ordered" joke yet: http://xkcd.com/327/ [xkcd.com]
Re:SQL Injection (Score:4, Insightful)
Why else would you Hack into a Pizza chain, other than to order free pizza?
INSERT INTO ORDERS
SELECT [cheese] AS [topping 1], [pepperoni] as [topping 2], [free] AS [price], [asap] AS [priority]
Re:SQL Injection (Score:4, Informative)
Re: (Score:2)
Unfortunately they've gone down hill lately, as proved by their new ads admitting that they have less fat than pizza hut pizzas and less salt than dominoes. Now, Hells are still better (by a huge margin in the case of dominoes), but by what stretch of the imagination is low fat & salt a good thing for a pizza?? I'm not eating pizza to lose weight and maintain a healthy heart or whatever, and personally I need my salt as I do quite a lot of exercise.
Anyway, Spagalimis do a better New Zealand pizza in
Re: (Score:2)
Re: (Score:2)
Pity the first extra command sent to it wasn't a DROP DATABASE
Hmmm.... (Score:2)
Re: (Score:2)
Nope
http://www.heluvagood.com/ [heluvagood.com]
makes only dips, condiments and cheese... No pizza
Pizza Woes: A Tale (Score:2, Funny)
It wasn't until I'd consumed it that I realized what was happening. Tom heartily recommended the new bread-disc, imploring I buy it with gusto:
"Pete this triple layer, cheese, anchovy, jalapeno, ape and pepperoni monster will be the takeaway of your life. They put cayenne in the tomato puree and man...just buy it. Gotta be tasted to be believed."
It's hardly common for that man to grant such an endorsement, and the next day I phoned up and got a jumbo 14" , the guy over the phone even said; 'We think you're
Risky.Biz Explaination (Score:5, Informative)
Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.
MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.
Comment removed (Score:5, Funny)
Re: (Score:3, Interesting)
Risky.Biz
... The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).
Their webdesign company is called "Inject Design Ltd.". Go figure ...
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.
I'm unsure what hashes he is talking about here. Password hashes? What was the weak hash algorithm?
Re: (Score:2)
He is talking about the password hashes, if you have MySQL, look in the MySQL catalog for the users table, it should have a field with password, where all passwords are hashed.
Haven't checked, but they where most likely using MD5 back then for hashing, so it's a matter of quering a rainbow table to get the passwords.
"my twitter has been hacked" (Score:1, Funny)
Maybe using that credit card number as a Twitter password wasn't such a good idea after all.
Old news, except for Hell (Score:5, Informative)
The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.
Here's a blog [geekzone.co.nz] by the owner of the geekzone forum [geekzone.co.nz] that initially discovered the problem (because someone received spam from a disposable email address they used with the company.
Hell Pizza is Awesome! (Score:4, Interesting)
It's actually brilliant pizza -- easily the best pie I've ever had outside of the USA (or Italy). Inventive topping combinations and skillfully made. I wish they'd open a franchise here in California.
Re: (Score:2)
I wish they'd open a franchise here in California.
Go ahead and make an order [hellpizza.co.nz]. Your pizza may require reheating on arrival though.
Re: (Score:2)
They'd probably want to order from the Auckland store. Though I wasn't able to find how much Air New Zealand would want for shipping a pizza across the Pacific or if the US authorities would allow it to leave LAX.
Re: (Score:2)
I agree. The other Pizza chains have raced to the bottom in terms of price, and as a result the quality is... well lets just say that many biologists would have trouble identifying it as biological matter, much less food. Hell Pizza has not played that game, much to their credit. They are not a huge chain, and that's the way we like it.
Re: (Score:2)
I don't care whether it's a huge chain. I care much more about whether the food is good. Hell Pizza: good food, at a worth-paying-a-bit-more-for price.
Re: (Score:2)
I wish they'd open a franchise here in California.
For the pizza, for the possibility to get the phone number of the celebs in Hollywood or for both?
at least they were upfront about it (Score:5, Informative)
I received an email from Hell just under a week ago:
"Dear Valued Hell Customer,
We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation. The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint."
They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.
Re: (Score:3, Insightful)
I appreciated their honesty,
Yeah, they were so honest, they forgot to tell you about the other 229,996 customers...
Re: (Score:2)
Also, when you are already dealing with Hell, I think it's hard to get in good standing with the competition...
Re: (Score:2)
Re: (Score:2)
Dear Friend,
...
I am Lucifer of the Army of Evil. Our beloved father Satan is dead and has left over a inheritance of $14,000,000,000, which I have to transfer on a foreign bank account.
Sad (Score:4, Insightful)
Sadly, this isn't the only computer system security SNAFU. It isn't often that you hear about it, but many of the systems I have seen are security WTFs. I continue to be amazed at how little some programmers understand about their trade, and I just don't have words for people who think the security of their computer systems isn't important. Getting a system that is completely secure may be too much to expect, but the least you can do is not make it easy for someone to walk right in and do whatever they want with your data after 5 minutes of observing the publicly accessible part of your system!
Re:Sad (Score:5, Insightful)
Okay but how can you make a non-technical customer pay for security? They will go to the cheapest vendor and pay later when it stuffs up.
just because they get paid... (Score:2)
I continue to be amazed at how little some programmers understand about their trade
What makes you think programming is different from any other profession?
You'd be amazed at how many "professionals" have absolutely no idea what they're doing, in any industry!
Re: (Score:2)
What's really crazy is how many video stores collect information with which they have no business. One video store wanted my SSN, I just made one up that was vaguely similar to mine so it would seem like a misremembrance if it ever came up somehow. You know they're not taking any care whatsoever with your data. Virtually nobody has a privacy policy, either. Crap, my local library logs all your activity, but then they can't tell me how long the data persists! I tried to explain to them that they were a state
Oh noes they know I like seafood pizza (Score:2, Funny)
Heaven Pizza for a change? (Score:1)
With the RFC'd angel bit on top?
Naaah... (Score:2)
"Tonight we dine in HEAVEN!!!" just doesn't have the same ring to it.
Re: (Score:2)
Hell's ordering portal (Score:2)
"about 50 steps of fail"? Why did he miss the opportunity to describe it as "abandon all hope, ye who enter here"?
Just hold on a minute here... (Score:2)
Re: (Score:1)
Re: (Score:2)
Say what? Is it the 1990s again?
Re: (Score:1, Funny)
support your local hooker. (look up rugby positions)
Re: (Score:2)
Re:Hell Pizza = Pizza in CA (Score:5, Funny)
Re: (Score:2)
Hell Pizza may suck on the security front (as evidenced by this story), but I have to say they make the best pizza I've ever had, anywhere... and that's a fairly ringing endorsement since I've eaten pizza on pretty much every continent on earth (including classic Italian pizza in Italy, New York pizza in New York, and so on).
It's also worth pointing out that while their security may suck, their web design is pretty awesome... Just playing with the cute little devils on their website [hellpizza.co.nz]
is a great time filler w
The problem was ... (Score:2)
Good pizza though at the branches near me on the west island.
Re: (Score:2)
Hell Pizza may suck on the security front (as evidenced by this story), but I have to say they make the best pizza I've ever had, anywhere... and that's a fairly ringing endorsement since I've eaten pizza on pretty much every continent on earth
I'm guessing they have frozen pizza in Antarctica ;)
Hells are ok, i see they say they have Australian stores - but I can't find where any of them are...
Oh well, lucky we have Crust [crust.com.au].
Re: (Score:2)
Re: (Score:2)
IMHO, Cicero's Pizza in San Jose has probably the best NY-style pizza outside of NY.