The company informed its employees of the data breach on November 15, two months after it first found signs of a cyber incident. It has also stated that “there is no indication that individuals’ specific information was accessed or misused.”
Details of the Data Breach
The company’s headquarters is located in Playa Vista, California. It has close to 200 restaurants around the world. According to a posting on the website of the Maine Attorney General, the incident affected a total of 103,767 people. CPK alerted its former and current employees about the data breach on Monday, November 15. Below is a timeline of the key events:
September 15, 2021: CPK learned of a “disruption” to certain systems in its computing environment. The company immediately took mitigatory steps to secure its environment. It also launched an investigation into the incident with the help of a leading computer forensic specialist. October 4, 2021: The investigation revealed that certain files on CPK’s systems were subjected to unauthorized access. The company reviewed the affected files to “identify the information involved and to whom it related.” October 13, 2021: The company completed its review and “determined the scope of impacted individuals and the types of protected data associated with those individuals, including Social Security number.” After this, it claims to have worked to provide notification to those who may have been impacted. November 15, 2021: CPK gave written notice of the data breach to all those affected.
Statement by California Pizza Kitchen
In its letter to potentially affected individuals, CPK provided a statement on the incident. This also included information on measures to avoid incidents in the future. “Information security is among our highest priorities, and we have strict security measures in place to protect information in our care. Upon discovering this incident, we immediately took steps to review and reinforce the security of our computing environment,” the letter reads. “We are reviewing existing security policies and have implemented additional measures to further protect against similar incidents moving forward. We also reported the incident to law enforcement and will cooperate with any investigation,” CPK added. Furthermore, the company offered to provide those affected with identity-theft protection, such as credit monitoring from Experian and identity theft insurance.