California Pizza Kitchen (CPK) identified a data breach that exposed the Social Security numbers of more than 100,000 current and former employees. CPK confirmed the incident in a data breach notification posted in November of 2021. The company said it learned of a “disruption” to its systems two months earlier on September 15 and moved to “immediately secure” its environment. By October 4, the company said it had determined cybercriminals had infiltrated its systems and gained access to certain files, including employee names and SSNs.
While CPK didn’t confirm how many people are impacted by the breach, a notification from the Maine attorney general’s office reported a total of 103,767 current and former employees — including eight Maine residents — were affected. CPK employed around 14,000 people as of 2017, suggesting the bulk of those affected are former employees.
A class-action lawsuit has been filed by two former CPK employees against CPK, contending that the risk of a cyberattack and the potential disclosure of current and former employees’ data was foreseeable to CPK, who the case claims stored the affected information in “a reckless manner.”
Why is this important?
With much of the data exposed belonging to former employees, failure to implement a data minimization program to reduce the amount of sensitive data at risk extended the exposure and left CPK open to a class-action lawsuit from former employees.
CPK also apparently waited as much as four to six weeks after discovering the breach to issue a data breach notification.
What does this mean to me?
It’s important to identify and properly secure sensitive data within your organization. It’s even more important to promptly erase data that is no longer needed, as doing so is a compliance requirement for data privacy laws like GDPR. It is also important for organizations to prepare for a breach. How an organization handles their response can impact their liability.
- Incident Response Readiness
- Incident Response Plan
- Tabletop exercises
- Technology review of monitoring, alerting, and logging solutions – SIEM, EDR, MDR, IPS, Log aggregation, Threat monitoring
- Data Minimization Program
- Sensitive Data Scanning
Commonality of attack