The chain learned October 4 that certain files had been accessed without authorization.
California Pizza Kitchen recently reported a data breach that gave hackers access to the names and Social Security numbers of more than 103,700 former and current employees.
The pizza chain said it learned of a "disruption to certain systems" on or around September 15. Once discovered, personnel secured the computing environment with the aid of leading third-party forensic specialists and launched an investigation to understand the nature and scope of the incident. On October 4, CPK confirmed that certain files had been accessed without authorization.
In response, the company said it took steps to review and reinforce security. It also looked over existing security polices, implemented more measures to prevent similar actions from happening again in the future, and reported the incident to law enforcement. As a precaution, CPK is offering targeted parties membership of Experian's IdentityWorks, a product that helps with resolution of identity theft.
CPK isn't the first restaurant to get hacked this year. In June, McDonald's announced that breachers stole data in its U.S., South Korea, and Taiwan markets. The hackers accessed contact information of employees and franchisees, and other details like seating capacity and square footage.
Erich Kron, security awareness advocate at cybersecurity company KnowBe4, said data breaches "have become the new normal these days." He advised that any affected party should monitor their credit reports closely in the next few months for any fraudulent activity.
"The fact that this particular data breach involved employees' personally identifiable information is unfortunate because of the potential legal ramifications that it can cause for the company," Kron said in a statement. "Social security numbers, such as the ones that were lost here, are very valuable to attackers, especially around the end of the year. Cybercriminals can use the information lost here, along with other information they may be able to find out about a person, to file fraudulent income tax returns or to otherwise steal the identity of data breach victims."
Paul Laudanski, head of threat intelligence at Tessian, said that given the amount of time between the breach and when authorities were notified, hackers had "plenty of time" to execute financial fraud.
"I wouldn’t be surprised if the IRS has to deal with fraudulent tax returns as a result of this breached SSN pool," Laudanski said in a statement. "To avoid falling victim to these attacks, it’s essential that all impacted employees issue credit freezes with the major credit bureaus. Communication and transparency will be vital from here on out as we determine the fallout from this breach."
Murphy Law Firm, a company that specializes in federal securities class action lawsuits, announced an investigation into claims of individuals whose information was compromised in the CPK data breach.