Some customers also reported fraudulent card transactions, which they suspect may have occurred due to the Pizza Hut hack.
The "temporary security intrusion" lasted for around 28 hours, the email said, and the details leaked are believed to include names, billing post codes, delivery addresses, email addresses and payment card information - meaning account number, expiration date and CVV number - were compromised.
Pizza Hut said in a statement that the breach had affected "some customers" who visited its United States website or mobile application during an approximately 28-hour period (from the morning of 1 October 2017 to midday on 2 October 2017), and subsequently placed an order, may have been compromised. Pizza Hut said that its website was hacked and some of its customers who used the fast food chain's website and app were affected by the breach.
The unauthorized access to Pizza Hut's servers originally occurred on October 1.
The customer notice said Pizza Hut is talking to cybersecurity experts outside of the company to look into the apparent hack and to make sure it doesn't happen again.
While it's often considered best practices to inform people as soon as possible to ensure that consumers can take action to protect their information-especially when financial information is at risk-there are legitimate reasons for holding off on disclosure, including tipping off other hackers about a potential vulnerability before it is patched and risking further breaches.
"The ICO suggests organisations should report personal data breaches that may cause "serious harm" to individuals affected by the breach - it is essential companies act quickly in making this assessment". We estimate that less than one percent of the week's traffic was affected.
It is still unclear as to how many users may have been affected by the breach and whether the hackers were able to get their hands on any corporate data.