Advertisement
11/18/2021

California Pizza Kitchen employee data exposed in breach

Dan Berthiaume
Senior Editor, Technology
Dan Berthiaume profile picture
California Pizza Kitchen is reporting that a security breach may have compromised employee data.

A September hacking incident at California Pizza Kitchen may have compromised some highly sensitive data of current and former employees.

According to a document filed by the Office of the Maine Attorney General, the legal counsel for California Pizza Kitchen submitted a report stating that on Sept. 15, 2021, the company first discovered an external system breach (identified as hacking) that exposed Social Security numbers of almost 104,000 current and former employees, including eight Maine residents.  

In a written notice to affected individuals, California Pizza Kitchen said that on Sept. 15, 2021, it discovered “suspicious activity” in its computing environment. The company secured the environment and with the assistance of third-party computer specialists, launched an investigation.

In early October, the investigation confirmed that some internal files could have been accessed without authorization. On Oct. 13, the retailer determined that data including Social Security numbers of close to 104,000 current and former employees was included in the breached files.

Although California Pizza Kitchen says there is no indication that any specific information was accessed or misused, it is notifying all potentially impacted current and former workers. In addition to this notification and working to implement additional safeguards and training, the retailer is providing access to free TransUnion credit monitoring services for 12 months for potentially affected individuals. The company is also providing guidance on how to better protect against identity theft and fraud.

Erich Kron, security awareness advocate at cybersecurity company KnowBe4, told Chain Store Age that data breaches have become the “new normal” these days.

“The fact that this particular data breach involved employees' personally identifiable information is unfortunate because of the potential legal ramifications that it can cause for the company,” said Kron. “Social security numbers, such as the ones that were lost here, are very valuable to attackers, especially around the end of the year. Cybercriminals can use the information lost here, along with other information they may be able to find out about a person, to file fraudulent income tax returns or to otherwise steal the identity of data breach victims. The employees of California Pizza Kitchen should monitor their credit reports closely over the next few months for any fraudulent activity and report anything suspicious immediately." 

Danny Lopez, CEO of Glasswall, said retailers need to adopt a two-fold solution of training and technology to prevent cybersecurity incidents.

“Training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices,” said Lopez. “The problem is, much of these training efforts are little more than an exercise in box ticking, covering the basics with employers then assuming their staff will remember what they need to do on every single occasion in the future when they are exposed to risk. Whether they are right or wrong, employees should be encouraged to always raise the alarm if something doesn’t feel right.

“On the technology side, taking a proactive, zero trust, never trust, always verify approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical. It’s also far more efficient and cost-effective than relying solely on your employees.”

[Read more: Study: Retail cyberattacks grow more sophisticated]