Everyone heard about the Hell Pizza database leak, but what is only now showing up in the media is a story that seems to be developing for more than twelve months. Back in August 2009 some Geekzone users reported receiving spam on email addresses used only with Hell Pizza's online ordering system.

At the time someone posted in our forums on behalf of Hell Pizza saying "we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed."

Fast forward thirteen months to this week and blog Risky.Biz published "I know what you ate last summer" where it reveals that "multiple intruders have compromised Hell Pizza's 400mb (sic) database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries."

It continues "When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

The New Zealand media found the story, and the NBR published "Hell Pizza: customer database could have been hacked". Chris Keall contacted Hell Pizza director Warren Powell who said "Everybody gets hacked into, even the Pentagon." He also added "The potentially stolen data was "of no value to anyone."

That's the problem. The data is valuable to spammers and for anyone who would like to try any of those 230,000 passwords in other sites - it's a known fact that many Internet users simply reuse the same password in different sites. This can potentially lead to identity theft. This is serious business.

According to a story on Stuff "Hell's director Warren Powell told NZPA he is unaware of any breach in security, and IT staff have so far found nothing proving information has been stolen."

Now comes the interesting part... Mr Warren Powel said to Stuff "If there is breach of security it will appear, data would have been removed and therefore it would appear as a download. We'll be able to find out the day and the computer it was downloaded to and we'll be able to prosecute this person if they exist."

They won't find anything. If Risky.Biz is correct, the old Hell Pizza ordering system was developed with poor attention to security, and the application running on the user's browser was communicating directly with the database.

This means any connection to the database would be considered valid, therefore those "dedicated, monitored firewall" wouldn't do any good.

It also means anyone could issue commands to the database and receive a response with that data - in which case it wouldn't appear as a download at all, but as a normal web request in the web server logs.

I tried contacting Hell Pizza via email but received no reply.

People on Geekzone noticed the Hell Pizza Ireland website could still be running the old, apparently vulnerable version of the ordering system. Currently both Hell Pizza Australia and Hell Pizza UK are returning server errors, with messages that lead us to believe they too were running the apparently vulnerable site version until recently - perhaps taken down to prevent further access to data?

I was alerted by one of the Geekzone users of further evidence that there was a vulnerability on the old Hell Pizza ordering system, and a Google search reveals the existence of a script that was there only to execute SQL commands - so vulnerable in fact that even Google found it and cached a result:

In an email sent to customers this week, Stu McMullin, Hell Pizza Director says "Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website."

Juha Saarinen reminded us, via Twitter, of the Privacy Commisioner's Privacy Breach Guidelines.

How long since Hell Pizza had knowledge of this security breach? Or did they only realise something was happening after Risky.Biz contaced them? If they did have knowledge, why wasn't it disclosed before? Will we see other New Zealand companies working to improve their IT security practices after seeing this happening?

Other related posts: