California Pizza Kitchen (CPK) served up more than tasty meals recently after a data breach exposed the names and Social Security numbers (SSNs) of more than 100,000 current and former employees.
The “external system breach” occurred on Sept. 15 at the popular U.S. pizza chain and affected 103,767 people, according to a Data Breach Notification posted on the website of the Maine Attorney General. CPK, founded in Beverly Hills, Calif. in 1985, has more than 250 locations across 32 states.
CPK discovered “suspicious activity” in its computing environment “on or about Sept. 15” and took hasty action to mitigate and investigate the occurrence with third-party IT specialists, according to the notice.
“CPK immediately secured the environment and … launched an investigation to determine the nature and scope of the incident,” the company wrote in the notice CPK sent to affected residents of Maine.
By Oct. 4, investigators had confirmed that certain files on CPK’s systems “could have been accessed without authorization,” according to the notice. By the end of the initial review on Oct. 13, it was clear that the breach had delivered attackers the names of former and current employees in combination with their SSNs, the company said.
CPK provided written notice to all affected individuals of the breach on Monday, Nov. 15. At this time there is no indication that the information accessed has been abused by cybercriminals, the company said.
Training Equals Prevention
Specifics have not been revealed about exactly what type of breach occurred nor how attackers infiltrated the system. CPK did not immediately return Threatpost’s request for comment on the incident.
The company is currently reviewing existing security policies and has implemented additional measures – including safeguards and employee training – to help prevent similar incidents going forward, according to the notice.
One security professional noted that employee training is a key element of helping to avoid breaches like this, which are all too common at organizations that have sensitive data on their networks but typically employ people without specific knowledge of how security breaches can occur.
“Every business like California Pizza Kitchen possesses valuable PII data which makes them a prime target for attackers,” Al-Khalidi, co-founder and co-CEO of security firm Axiad, wrote in an email to Threatpost. “To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene.”
Ongoing training, which can prevent employees from falling prey to phishing or other socially engineered attacks that can take down an entire IT environment, can bolster a company’s overall security defense, he said.
Indeed, “training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices,” concurred Danny Lopez, CEO of security firm Glasswall.
However, training is little more than “box-ticking” and won’t help prevent breaches like the one CPK experienced if employees aren’t encouraged to “raise the alarm if something doesn’t feel right” without fear of ridicule or punishment if they speak up, he added.
Moreover, employee training can’t replace a solid technology-based security posture that errs on the side of paranoia in preventing cyber-attacks, Lopez told Threatpost via email.
“Taking a proactive, zero trust (never trust/always verify) approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical,” he said. “It’s also far more efficient and cost-effective than relying solely on your employees.”
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost for “An Intro to OSquery and CloudQuery,” an on-demand Town Hall with Eric Kaiser, Uptycs’ senior security engineer, and find out how this open-source tool can help tame security across your organization’s entire campus.
Register NOW to access the on-demand event!