Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Image

Pizza Lovers Suffer Data Breach From Hell 164

netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"
This discussion has been archived. No new comments can be posted.

Pizza Lovers Suffer Data Breach From Hell

Comments Filter:
  • by PizzaAnalogyGuy ( 1684610 ) on Thursday July 29, 2010 @12:13AM (#33065340)
    This reminds me of the time when I was 13. We had just got out of school and bicycled home. You know why? Because I, let me clarify _I_, had this new awesome game Lemmings. When we got to my house, I would fire up my Amiga and we would just laugh at the stupid lemmings jumping to their death if I didn't do something to stop them. Making them dig, guide others, or give them umbrellas - it was great.

    The problem was that later on we obviously got hungry. This happened many times. Someone had to go get some food. Pizza was the obvious choice. But who would it be? I didn't want to. So we played a game of rock paper scissors. Damn, I lost. I tried to have an another round, but they didn't let me. There was nothing I could do.

    I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?

    I arrived at the pizza place. The taste was beautiful. I felt like I was home. I walked in and ordered three large pizzas, mine being the double bacon cheeseburger pizza. I felt so hungry. I just wanted to grab the pizza and eat. When the pizzas came, I had to eat there. I also took a few pieces of my friends pizzas because I wanted to taste them. Man I was happy.

    Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket. No problems for the vendor, no problems for me, and everything worked greatly. The lesson being - pay with cash.
    • by Anonymous Coward on Thursday July 29, 2010 @12:20AM (#33065366)

      I thought the lesson was..

      "Don't let your asshole friend go to get the pizza, cause all he'll bring you home is a couple of cold slices"

      • by BrokenHalo ( 565198 ) on Thursday July 29, 2010 @02:58AM (#33066010)
        ...is why the hell some outfits feel the need to collect that much information about you just to sell you some food. After all, it doesn't make them a single extra sale. If you're not hungry, you're not going to buy a pizza.

        Any shop that tries to get that kind of information out of me gets a flat refusal. Likewise, any venue that tries to take my fingerprints or iris scan.
        • Likewise, any venue that tries to take my fingerprints or iris scan.

          Ah, my friend, these days they just digitally map your face using the 10s to 100s of cameras that film you every day. We know who you are, citizen.

        • by somersault ( 912633 ) on Thursday July 29, 2010 @03:44AM (#33066220) Homepage Journal

          why the hell some outfits feel the need to collect that much information about you just to sell you some food.

          Email address: to reset your password if you forget it (you'd want an account so you don't have to type in your address and payment info each time).
          Address: should be obvious.
          Phone number: to phone in case they don't get an answer at the door.

          TFA doesn't mention any extra personal details that were stolen. I don't see what's so crazy about them needing these other details for online ordering.

          • I am not sure if they store this info, but Dominos.com lets you pay by credit card on their online form, so that information very likely could be stored. And their pizza is much better to boot. I always get a lower price (the person on the phone is always rushed, hard to compare specials) AND I get points toward free food. Then again, I always use the (*)Cash option I prefer to tip in cash and the price is usually in the $15-$25 range is all. But ordering pizza by phone sucks, costs more and offers you

          • by Lumpy ( 12016 )

            Dominoes Pizza takes pride in the fact that the whore out, I mean sell every aspect of you over and over and over again. Collection agencies can get all your info from them on a subscription basis. Marketing companies also subscribe to their database as well as other companies. They are proud to throw their pizza customers info to the wind for anyone to buy.

            Most pizza places do this, they whore out your data left and right.

        • ...that much information...

          After reading TFA and visiting their website, I find that they don't collect a lot of extra information. The only thing I found unnecessary was gender - which might be a good courtesy measure (I've met a woman with my same name....it's a strange world.)

          Lets do less-than-brain-surgery to determine what information is required.

          Phone orders:
          Name, phone number, address, and the pizza order (size, crust, toppings, side orders, drinks, etc.) and the nearest franchise location. Possibly creating a list of previ

          • Re: (Score:3, Funny)

            I've met a woman with my same name....it's a strange world.

            I'll say! If I met a woman by the name of Crudely Indecent, I'd have to ask her the name of the movies she's starred in.
        • by mpe ( 36238 )
          ...is why the hell some outfits feel the need to collect that much information about you just to sell you some food.

          Maybe the ability to collect and store this came as standard with the system. With nobody ever bothering to ask if it was needed.
        • by Fizzl ( 209397 )

          One outfit in my life has _required_ to see my ID, my photo taken and issuing me with a mandatory customer card -- Grand* Casino in Helsinki, Finland. I guess the purpose of this for them to be able to identify any ocean eleven attempters in their glorious mega casino.

          (*) Grand: Couple of slot machines and black jack tables.

          • It should be obvious that it's for tax purposes and to defeat illegal activity connected with gambling (money laundering).

            Tax information is collected automatically here and so are your taxes. Any income from gambling is obviously taxable as well, so the government needs a way to collect that information.

            Gambling is strictly regulated in the Scandinavian countries and Finland. We don't like gambling [politically] and it's not wide spread.

            I don't think we even have a casino in Norway at all, the lottery is s

      • by syousef ( 465911 )

        I thought the lesson was..

        "Don't let your asshole friend go to get the pizza, cause all he'll bring you home is a couple of cold slices"

        No, the lesson is send your asshole friend who can't play rock, paper, scissors for shit to go get fat on pizza while you use his Amiga. Why the fuck should you pay for one? When he gets back with cold pizza refuse to pay cause hey he ate most of it and it's cold, then tell him it's time to go home.

    • Re: (Score:3, Funny)

      by Fluffeh ( 1273756 )

      I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?

      So, PizzaAnalogyGuy, there seems to have been a little bit of a mix-up. This story wasn't supposed to get published till Christmas and your dream story ended up on /.

      Between me and you, don't be expecting anything big under the tree in a few months. You can however, cherish this story, and the fact that you got first post on it.

      *sips coffee*

    • by _Sprocket_ ( 42527 ) on Thursday July 29, 2010 @12:40AM (#33065478)

      Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket.

      Did you have to move aside the onion you wore on your belt as that was the fashion at the time?

    • I will get my ass of your lawn immediately, SIR!!!!
    • Re: (Score:2, Informative)

      by SpzToid ( 869795 )

      replying due to unintentional mod.

    • by pinkushun ( 1467193 ) on Thursday July 29, 2010 @02:57AM (#33066006) Journal

      I thought the lesson was: If you fetch the chow, you're entitled to a service fee, payable in consumables purchased. Hmmm Lemming Pizza :P~

    • Re: (Score:3, Funny)

      I had to get up my ass...

      That's got to hurt!

      Your story reminds me of a High School job I had making pizzas.

      It was years before I could eat a pizza that I didn't make myself.

  • Shouldn't they be audited routinely if they conduct business online?
    • Uh... oh yeah, you mean "security audits." Yeah, uh, sure, we do that.
      • Re: (Score:3, Interesting)

        by GameboyRMH ( 1153867 )

        I wouldn't be surprised if they just had IT security audits done by KPMG and Ernst & Young while the data was being pulled out by the truckload through a gaping hole, just like the Latvian banks...

    • Can you imagine the roll call?

      Thompson, you got the banking industry, now make sure you are NOT distracted by those luscious red-headed twins they will send after you or for god sakes, say NO to the bulging envelopes of cash.

      William, you got the pizza place down the block. And for god sakes, stay away from their cousin Agnes, she fancies you and the last guy was crushed to death when she jumped on him. Oh, you are a slashdot reader? Then this might be your only chance.

  • by astroengine ( 1577233 ) on Thursday July 29, 2010 @12:19AM (#33065364) Homepage
    I'd hate it if half of New Zealand knew how much pizza I eat.
    • So, thank god you're like the other 99.6% of the world, and you DON'T live in New Zealand.
      • Re: (Score:3, Informative)

        Its actually a really nice place. Without a doubt the best place I have been outside Australia. Their government is small scale, but it seems to work better that way.

        • by tehcyder ( 746570 ) on Thursday July 29, 2010 @03:04AM (#33066022) Journal

          Its actually a really nice place. Without a doubt the best place I have been outside Australia.

          So you've just been there and Australia then?

        • Yeah agreed. Lovely country and I'd agree - best I've been to outside Australia in terms of where I'd want to live. And I've been to: the UK, the US, Canada, France, Singapore, Fiji (and Australia and NZ obviously).

        • If you can stomach the institutionalised racism.

          Eg; your bereavement leave entitlement depends on your race. If you are 'non-Maori' you get three days. If you are Maori you get 'as much time as you need to fulfil your cultural responsibilities'.

          Personally, I abhor this kind of thing; the only time your parentage should be of interest to the government should be on matters of nationality, not bereavement leave.

          I'm disgusted with New Zealand.

          • Native Americans get benefits. Australian aborigines get subsidies for housing, education, land. All of this is payback for all the raping and pillaging which went on when Europeans were colonizing their land. Its not specific to NZ, though the Maoris are probably in a better state than the other examples I gave. The way they are going, Australian aborigines will hardly exist in a couple of generations.

            • Under the UN convention on human rights its not appropriate to punish children for the crimes of their parents.

              And in this particular case, even if its 'payback' against New Zealanders of British descent, how about descendants of the newcomers who are of, say Chinese descent and who had nothing to do with the original colonisation? I guess they aren't even covered by the 'treaty of waitangi' and have no rights at all?

              Much in New Zealand society appears to be premised on the notion that if your ancestors arr

              • Under the UN convention on human rights its not appropriate to punish children for the crimes of their parents.

                I don't necessarily think you are wrong but I do think that the provisioning of alcohol to people who have no innate tolerance for it could be construed as chemical warfare. Thats pretty much the situation with Australian aborigines.

        • by agm ( 467017 )

          Our (I'm a NZer) government is small scale? Are you serious? It's nothing of the sort. We have an entrenched socialist system here, and as such it is not small scale.

      • Re: (Score:3, Insightful)

        by MachDelta ( 704883 )

        Actually that's 99.936%, sir.

        Oh god, I think I just overexnerded myself. :(

  • Or is the anonymous celeb indicating that he uses the same u/p for every single website he visits? Were that the case, it'd be interesting to see what other websites he/she has signed up for that haven't been compromised. I've heard you can't teach an old dog new tricks...
  • SQL Injection (Score:4, Informative)

    by Anonymous Coward on Thursday July 29, 2010 @12:24AM (#33065380)

    This isn't news.

    Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.

    • by $RANDOMLUSER ( 804576 ) on Thursday July 29, 2010 @12:28AM (#33065406)
      "I'd like to order a large, thin crust, double cheese, pepperoni and drop table..."
      • Re:SQL Injection (Score:5, Interesting)

        by MichaelSmith ( 789609 ) on Thursday July 29, 2010 @12:31AM (#33065428) Homepage Journal

        "I'd like to order a large, thin crust, double cheese, pepperoni and drop table..."

        No clear the table before you place your order so your pizza gets the priority it deserves.

      • by rumith ( 983060 )
        Hell, it's about time!
      • Re: (Score:2, Funny)

        by Splod ( 40032 )

        Can't believe nobody's made the "it was all fine until Bobby Tables ordered" joke yet: http://xkcd.com/327/ [xkcd.com]

      • Re:SQL Injection (Score:4, Insightful)

        by pinkushun ( 1467193 ) on Thursday July 29, 2010 @03:06AM (#33066030) Journal

        Why else would you Hack into a Pizza chain, other than to order free pizza?

        INSERT INTO ORDERS
        SELECT [cheese] AS [topping 1], [pepperoni] as [topping 2], [free] AS [price], [asap] AS [priority]

      • Re:SQL Injection (Score:4, Informative)

        by SplashMyBandit ( 1543257 ) on Thursday July 29, 2010 @04:13AM (#33066346)
        Mate, you should try a Hell pizza. They are completely awesome. The website used to have pictures of the pizzas and they not like Italian/American pizzas at all as they have a large number of ingredients on top (not just cheese, pizza sauce and peperoni). My favourite is the "Mordor" and if you ever get to NZ you ought to try it. The other excellent pizza is the 'Unearthly' dessert pizza - sooo good.
        • by HBoar ( 1642149 )

          Unfortunately they've gone down hill lately, as proved by their new ads admitting that they have less fat than pizza hut pizzas and less salt than dominoes. Now, Hells are still better (by a huge margin in the case of dominoes), but by what stretch of the imagination is low fat & salt a good thing for a pizza?? I'm not eating pizza to lose weight and maintain a healthy heart or whatever, and personally I need my salt as I do quite a lot of exercise.

          Anyway, Spagalimis do a better New Zealand pizza in

    • by mpe ( 36238 )
      Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.

      Pity the first extra command sent to it wasn't a DROP DATABASE :)
  • Hope it was a helluva good pizza.
  • It wasn't until I'd consumed it that I realized what was happening. Tom heartily recommended the new bread-disc, imploring I buy it with gusto:

    "Pete this triple layer, cheese, anchovy, jalapeno, ape and pepperoni monster will be the takeaway of your life. They put cayenne in the tomato puree and man...just buy it. Gotta be tasted to be believed."

    It's hardly common for that man to grant such an endorsement, and the next day I phoned up and got a jumbo 14" , the guy over the phone even said; 'We think you're

  • by SJ2000 ( 1128057 ) on Thursday July 29, 2010 @12:34AM (#33065460) Homepage
    Risky.Biz

    Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store). You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours. MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

    • by account_deleted ( 4530225 ) on Thursday July 29, 2010 @01:33AM (#33065672)
      Comment removed based on user account deletion
    • Re: (Score:3, Interesting)

      Risky.Biz

      ... The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

      Their webdesign company is called "Inject Design Ltd.". Go figure ...

      You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

      I'm unsure what hashes he is talking about here. Password hashes? What was the weak hash algorithm?

      • by Splab ( 574204 )

        He is talking about the password hashes, if you have MySQL, look in the MySQL catalog for the users table, it should have a field with password, where all passwords are hashed.

        Haven't checked, but they where most likely using MD5 back then for hashing, so it's a matter of quering a rainbow table to get the passwords.

  • Maybe using that credit card number as a Twitter password wasn't such a good idea after all.

  • by tbird81 ( 946205 ) on Thursday July 29, 2010 @12:54AM (#33065544)

    The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.

    Here's a blog [geekzone.co.nz] by the owner of the geekzone forum [geekzone.co.nz] that initially discovered the problem (because someone received spam from a disposable email address they used with the company.

  • by mad.frog ( 525085 ) <stevenNO@SPAMcrinklink.com> on Thursday July 29, 2010 @12:55AM (#33065548)

    It's actually brilliant pizza -- easily the best pie I've ever had outside of the USA (or Italy). Inventive topping combinations and skillfully made. I wish they'd open a franchise here in California.

    • I wish they'd open a franchise here in California.

      Go ahead and make an order [hellpizza.co.nz]. Your pizza may require reheating on arrival though.

      • by mpe ( 36238 )
        Go ahead and make an order. Your pizza may require reheating on arrival though.

        They'd probably want to order from the Auckland store. Though I wasn't able to find how much Air New Zealand would want for shipping a pizza across the Pacific or if the US authorities would allow it to leave LAX.
    • by Hairy1 ( 180056 )

      I agree. The other Pizza chains have raced to the bottom in terms of price, and as a result the quality is... well lets just say that many biologists would have trouble identifying it as biological matter, much less food. Hell Pizza has not played that game, much to their credit. They are not a huge chain, and that's the way we like it.

      • I don't care whether it's a huge chain. I care much more about whether the food is good. Hell Pizza: good food, at a worth-paying-a-bit-more-for price.

    • by c0lo ( 1497653 )

      I wish they'd open a franchise here in California.

      For the pizza, for the possibility to get the phone number of the celebs in Hollywood or for both?

  • by Anonymous Coward on Thursday July 29, 2010 @01:12AM (#33065614)

    I received an email from Hell just under a week ago:

    "Dear Valued Hell Customer,

    We have been approached by a party claiming to be in possession of
    customer details from the previous Hell website which is no longer in
    operation. The samples that we received included details of four customers
    from 2006, including phone numbers and email addresses and order
    information. We can confirm that credit card data was not at risk as this
    is held independently on a secure banking website.

    Whilst we are still investigating the matter, we can confirm that the
    information was obtained without our knowledge and we have approached the
    New Zealand Police with a view to lodging a formal complaint."

    They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.

    • Re: (Score:3, Insightful)

      by Dunbal ( 464142 ) *

      I appreciated their honesty,

            Yeah, they were so honest, they forgot to tell you about the other 229,996 customers...

    • by Splab ( 574204 )

      Also, when you are already dealing with Hell, I think it's hard to get in good standing with the competition...

    • by taniwha ( 70410 )
      maybe to you - I haven't received that email yet and I'm sure my email address is in there too somewhere
    • I received an email from Hell just under a week ago:

      Dear Friend,
      I am Lucifer of the Army of Evil. Our beloved father Satan is dead and has left over a inheritance of $14,000,000,000, which I have to transfer on a foreign bank account.
      ...

  • Sad (Score:4, Insightful)

    by RAMMS+EIN ( 578166 ) on Thursday July 29, 2010 @01:15AM (#33065624) Homepage Journal

    Sadly, this isn't the only computer system security SNAFU. It isn't often that you hear about it, but many of the systems I have seen are security WTFs. I continue to be amazed at how little some programmers understand about their trade, and I just don't have words for people who think the security of their computer systems isn't important. Getting a system that is completely secure may be too much to expect, but the least you can do is not make it easy for someone to walk right in and do whatever they want with your data after 5 minutes of observing the publicly accessible part of your system!

    • Re:Sad (Score:5, Insightful)

      by MichaelSmith ( 789609 ) on Thursday July 29, 2010 @01:19AM (#33065638) Homepage Journal

      Okay but how can you make a non-technical customer pay for security? They will go to the cheapest vendor and pay later when it stuffs up.

    • I continue to be amazed at how little some programmers understand about their trade

      What makes you think programming is different from any other profession?

      You'd be amazed at how many "professionals" have absolutely no idea what they're doing, in any industry!

    • What's really crazy is how many video stores collect information with which they have no business. One video store wanted my SSN, I just made one up that was vaguely similar to mine so it would seem like a misremembrance if it ever came up somehow. You know they're not taking any care whatsoever with your data. Virtually nobody has a privacy policy, either. Crap, my local library logs all your activity, but then they can't tell me how long the data persists! I tried to explain to them that they were a state

  • I'm not saying that I like all my information shared, but if they know my favourite pizza the worst case scenario is they send me one, I will wipe away the tears as I eat it.
  • With the RFC'd angel bit on top?

  • Comment removed based on user account deletion
  • "about 50 steps of fail"? Why did he miss the opportunity to describe it as "abandon all hope, ye who enter here"?

  • Flight of the Conchords taught me that kiwis are still using Commodore 64's and dialup. YOU LIED TO ME, BRETT AND JERMAINE!

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...