Customer database breach hellishly simple

Private information including passwords, email and home addresses, phone numbers - plus pizza orders - have fallen into the hands of the anonymous cyber hackers. Photo / Martin Sykes

Who knew getting into hell was this easy?

The directors of Hell Pizza last week blamed hackers for breaking into their confidential customer database.

But the Herald on Sunday has found that all that was needed to access the 230,000 accounts was simply to type the words "Hell Pizza" into the Google internet search engine.

Personal details such as account passwords, email addresses and customers' favourite pizza topping could be viewed from an online link.

Several security experts emailed the Herald on Sunday in response to the article, showing how easy it was to get into the Hell site.

They emailed links revealing details for 1000 customers from each of Hell Pizza's overseas sites in Australia, the United Kingdom, and Ireland.

Those overseas sites were later taken offline while embarrassed Hell bosses tried to shore up security.

One of the internet experts who showed the Herald on Sunday how easy it was to access the site is now helping Hell fix its problems.

And it emerged that Hell Pizza was first warned about the breach last year.

Hell Pizza spokesman Matthew Blomfield agreed the site was not as secure as it could have been.

"No doubt we could have informed people earlier but we didn't realise the extent of the issue until recently," he said.

Last week directors from Hell Pizza turned up at Enlightened Designs' office questioning whether two staff members from the company were responsible for hacking the system.

"It turns out they were the whistleblowers," said Blomfield.

Celebrity customers whose personal information was released included Target presenter Brooke Howard-Smith, comedian Dai Henwood, entrepreneur Seeby Woodhouse, former Green party MP Nandor Tanczos and DJ Mike Puru.

Paul McKitrick, chairman of the New Zealand internet Task Force, said there were rumours at the Kiwicon computer security conference last November about a large ecommerce site whose customer database had been compromised.

"At the time Hell Pizza was not named, however ... [it would now] appear that the rumour was about Hell Pizza."