Employee SSNs Exposed in California Pizza Kitchen Breach

California Pizza Kitchen (CPK) founded in Beverly Hills, California in 1985, has more than 250 locations across 32 states. CPK experienced a data breach exposing the full names and Social Security Numbers (SSNs) of current and former employees. The Maine Attorney Generals’ website reported this “external system breach” had occurred in September 2021 and impacted nearly all 103,767 employees, according to the Data Breach notification report.

The Breach

CPK detected “suspicious activity” in its systems on September 15, 2021, and took quick action to mitigate and investigate the occurrence with third-party IT forensic investigators, according to the notice. By October 4, 2021, investigators confirmed that some files on CPK’s systems “could have been accessed without authorization”. By the end of the initial review, it was determined that the attack had sent attackers the names of former and current employees in combination with their SSNs, CPK said. CPK provided written notice to all affected individuals of the breach on Monday, November 15, over a month after they determined employee critical data was exfiltrated. 

Specifics have not been revealed about exactly what type of breach occurred or how attackers infiltrated CPK’s systems. CPK is currently reviewing existing security policies and implementing additional measures, including safeguards and employee training to help prevent similar incidents going forward. 

CPK has also partnered with Experion to allow employees to register for an identity theft protection program called “IdentityWorks”.  CyberHoot views any credit monitoring program, like “IdentityWorks” in this situation to be 100% unethical. Why you may ask? Because the simple truth is one can freeze their credit at all four credit agencies (as detailed here) and prevent one’s identity and credit from being exploited. To encourage employees to monitor their credit instead of freezing it, enabling credit agencies to continue to monetize their data, is the height of credit agency self-interest at the expense of consumer safety and security.  Freeze your credit to secure your identity.

What Can Your Company Do?

California Pizza Kitchen’s breach should be a nightmarish reminder to organizations that are lacking basic cybersecurity measures, to act now. Some business owners think that they don’t have any data hackers would want, but they definitely do if they are paying employees. In order to send payments to employees, the company needs the employee’s Name, Bank Account Information, and Social Security Number (among other personal details). It’s vital that companies safeguard this critical employee data properly, leveraging awareness training alongside technical safeguards such as encryption, strong passwords stored in password managers. and paired with multi-factor authentication. 

Awareness Training

Al-Khalidi, co-founder and co-CEO of security firm Axiad, said this about the breach:

“Every business like California Pizza Kitchen possesses valuable PII data which makes them a prime target for attackers. To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene…Ongoing [cybersecurity] training, which can prevent employees from falling prey to phishing or other socially engineered attacks that can take down an entire IT environment, can bolster a company’s overall security defense.”

Training employees on the threats they face every day when using Internet-connected devices is the best approach to cybersecurity through arming users to be alert to risks and follow best practices. 


Using a proactive, zero trust (never trust/always verify) approach is recommended. The Zero Trust model of information security gets rid of the old ‘castle-and-moat’ strategy that had organizations focused on defending their perimeters while assuming everything already inside doesn’t pose a threat. Experts argue that the castle-and-moat approach doesn’t work. Game of Thrones proved this to be true time and again; anyone who could get past the castle walls could and would kill you.  In our world, the most damaging data breaches occurred when hackers gained access inside corporate firewalls and are then able to move through internal systems without much resistance.

A number of IT businesses are already doing many aspects of Zero Trust, experts say. They often have Two-Factor Authentication, Identity Access Management (IAM), and ‘least privilege‘ in place.

Zero Trust is a difficult but necessary model for SMBs to adopt. When utilizing Zero Trust, networks are segmented, often by division of labor. SMBs should adopt Two-Factor Authentication, strong Identity, and Access Management (IAM) protections, and should always try to follow the principles of Least Privilege for access to critical and sensitive data.

Additional Recommendations

In addition to these protections, CyberHoot also recommends SMBs take the following steps to secure their business.  These measures provide a great deal of value for the cost and time investment they require (especially when delivered via CyberHoot).

  1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
  2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
  3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
  4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
  5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
  6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
  7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Most of these recommendations are built into CyberHoot. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

Find out how CyberHoot can secure your business.

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.