Dutch pizza chain discloses breach after hacker tries to extort company

New York Pizza, one of the largest pizza restaurant chains in the Netherlands, has disclosed today a security breach after a hacker tried to extort the company over the weekend.

"Last Sunday night on Monday morning we received some emails from a hacker," the company said in a statement published on its website. "This hacker claimed he stole a large amount of customer data from New York Pizza and threatened to publish or sell it."

New York Pizza said they believe the hacker got its hands on the data of approximately 3.9 million users, a number that represents around 22% of the Netherlands' entire population.

Stolen data includes some pretty personal details, such as real names, delivery addresses, email addresses, telephone numbers, hashed passwords for NYP online accounts, past orders, and in some cases, even dates of birth.

The Dutch company, which is currently in the process of extending its franchise base to neighboring Belgium, said it worked with local security firm Fox-IT to investigate the incident and patch the bug exploited in the intrusion.

It also notified the Dutch data protection authority and said it plans to file a complaint with law enforcement once its investigation is over.

Company expects data to leak

In the meantime, the company is notifying all impacted users and asking them to change passwords for their NYP accounts.

Furthermore, the company also told users it fully expects the stolen information to be leaked online at one point in the future and that threat actors will most likely abuse the stolen information for fraud or other forms of online crime.

"Data can possibly be used improperly, for example for phishing and spam," it said.

"It is also possible that you will be contacted by telephone or email. They can then ask for additional information or approach you to make a payment."

"Our advice is not to respond to this and to always remain alert to fraud or identity theft. PLEASE NOTE: Do not press links do not respond to emails from the sender '[email protected]'," the company added.

The breach, which is quite massive for the Netherlands' size, is the second major security breach that impacted the small country this year. In March, a hacker put up for sale the data of more than 7.3 million Dutch car owners.