100,000 California Pizza Kitchen employee SSNs compromised in data breach

November 19, 2021

On or around September 15, 2021, California Pizza Kitchen discovered suspicious activity on its computer systems. By October 4, 2021, a forensic investigation performed by third-party IT professionals confirmed that cybercriminals had infiltrated California Pizza Kitchen’s computer systems and gained unauthorized access to certain files.

A notice provided by California Pizza Kitchen to the Maine Attorney General's Office reported that the investigation assessed the organization's email environment security. Following additional investigation, California Pizza Kitchen concluded that cybercriminals may have accessed the personal information of more than 103,000 individuals, including their names, Social Security numbers and other identifying information.

California Pizza Kitchen has offered affected employees credit monitoring and identity theft and insurance services.

In response to the cyberattack, security leaders give their insights into its ramifications and prevention best practices:

Bassam Al-Khalidi, Co-CEO and Co-Founder of Axiad, said, "Every business like California Pizza Kitchen possesses valuable personal identifiable information (PII) data which makes them a prime target for attackers. To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene. Ongoing training can help defend against threats such as phishing or other social engineering attacks that often lead to breaches.”

Erich Kron, Security Awareness Advocate at KnowBe4, commented, "Unfortunately, data breaches have become the new normal these days. The fact that this particular data breach involved employees' PII is unfortunate because of the potential legal ramifications that it can cause for the company. Social Security numbers, such as the ones that were lost here, are very valuable to attackers, especially around the end of the year. Cybercriminals can use the information lost here, along with other information they may be able to find out about a person, to file fraudulent income tax returns or to otherwise steal the identity of data breach victims. The employees of California Pizza Kitchen should monitor their credit reports closely over the next few months for any fraudulent activity and report anything suspicious immediately."

Danny Lopez, the CEO of Glasswall, noted a two-fold approach involving training and technology to prevent future incidents. According to Lopez, "Training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices. The problem is, much of these training efforts are little more than an exercise in box ticking, covering the basics with employers assuming their staff will remember what they need to do on every single occasion in the future when they are exposed to risk.

People should understand that protecting their organization from the impact of a security breach isn’t just about always applying every element of their training on every single occasion, it’s also about raising the alarm if a breach may have occurred without fear of punishment. Whether they are right or wrong, employees should be encouraged to always raise the alarm if something doesn’t feel right.

On the technology side, taking a proactive, zero trust (never trust/always verify) approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.