SecureConnect Logo
Phone: 888-949-7328 | mySecureConnect Login
 
pci-compliance.jpg
Home| Blog > Data Security > Passwords and Pepperoni…

Passwords and Pepperoni

by Blake Huebner @ . July 29, 2010 . 12:10PM

Hell Pizza, a New Zealand based pizza chain, recently sent out an email to its 230,000 customers to change their passwords. They believe that they have suffered a breach, but cannot yet identify the attack vector (this could be a rogue employee or poorly designed website).

While I applaud Hell Pizza for notifying their customers, since web users typically use the same email and password for websites they authenticate to, they didn’t adequately protect the information to begin with. According to sources at risky.biz, the hackers have obtained private information including passwords, email and home addresses and phone numbers, in addition to order information. Apparently, no cardholder data was obtained.

Merchants are continually trying to enhance the user experience by offering such services as online ordering. However, this can be a disservice to your customers if not properly implemented, as in the case of Hell Pizza. Developing a web site with insecure coding is a poor way to conduct business.

While representatives from Hell Pizza indicated that cardholder data wasn’t breached, it would seem likely that the online payment card flow would put their servers in scope for PCI. Vulnerability scanning, as conducted by an ASV (of which BHI SecureConnect is one) should have shown the SQL injection vulnerability (as reported by risky.biz). In addition, validation by completing the Self Assessment Questionnaire would indicate that one cannot provide direct database access from the internet (mySQL was reportedly listening on the public side), among many other violated requirements.

Hell Pizza should have conducted due diligence in assessing their security posture, and if in scope for PCI, have a contractual obligation to fulfill the PCI requirements.

This should also serve as a lesson for consumers to not use the same password for the websites that you access. A breach could potentially allow access to online banking and other personal records. Use a password databases, such as the open source (ie free) KeePass Password Safe, to keep your passwords safe and straight.

Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SAQ, PCI SSC, Payment Processing | Tags: , , , , , , , , , , , , , , , , , ,



 
 
Learn More
Why SecureConnect
 Packages
 Managed Firewall
 PCI Compliance
 Archived Webinars
 SecureConnect Blog
 Case Studies
 FAQs

SecureConnect Scoop
About Us
 Approved Scanning Vendor
 Careers
 Press Releases
 Terms of Use
 Privacy Policy
 Site Map
 Next Steps
Send Informational Packet
 Get a Free PCI Scan
 Receive Communications from us
 Request a Free PCI Consultation
 Launch the PCI Wizard
 Email Us
 Sign Up
 mySecureConnect Login
 Call Direct: 888.949.7328

 Follow SecureConnect
Follow us with RSS feed Subscribe to our RSS feed
Follow us on Twitter Follow us on Twitter
Follow us on Facebook Become a Facebook fan
Follow us on Facebook See our events on Flickr
Visit our profile on Linkedin Join us on Linkedin
© 2010 BHI Advanced Internet, Inc. Provider of SecureConnect®. All Rights Reserved.