The data breaches that have hit multinational corporations such as Target and UPS have now infiltrated your local pizza joint.

Portland-based Otto Pizza announced Friday that a data breach may have resulted in the theft of about 900 customers’ credit and debit card numbers from its Congress Street locations on Munjoy Hill and in the Arts District.

Company officials said in a news release that authorities recently notified Otto that it suffered a “point of sale” attack that allowed computer hackers access to some customers’ credit card numbers.

The attack ran from early May to Aug. 13 and affected credit card terminals at its 576 Congress St. and 225 Congress St. locations. Otto’s six other restaurants in Maine and Massachusetts and customers of its home delivery service are unaffected.

No actual fraud or misuse of customers’ credit card numbers has been reported, said Eric Shepherd, the director of marketing and communications for Otto.

“It’s not just T.J.Maxx and UPS and TD Bank. They’re starting to hit smaller businesses. There’s no target that’s too small,” Shepherd said.

There’s a good chance the hackers that planted the virus never stopped for a signature slice topped with mashed potato.

“Every indication seems to point toward this was a non-targeted remote hacking,” Shepherd said.

Even while it has restaurants in Massachusetts, the original home of Otto Pizza, on Congress Street in the Arts District, still looks and smells like a neighborhood pizza joint. So Shepherd was startled when a little more than a week ago, the company got a call from the U.S. Secret Service. The agency said that it had located a batch of credit card numbers and was able to determine that some of those came from credit card machines at Otto.

Investigators identified three machines which had the malicious software and disabled it. The hard drives of the affected terminals were replaced and additional firewall and monitoring software was installed, the company said.

Customers should now feel secure using their credit and debit cards at all Otto locations, the company said in a statement announcing the breach. Otto informed its employees and placed a statement on its website telling customers of the situation. A special telephone line has been established to assist customers who have questions or concerns, it said.

The company notified the Attorney General’s Office, but had to hold off on a wider notification until law enforcement determined that an announcement wouldn’t hurt the investigation, Shepherd said.

Shepherd said the chain wasn’t lax on security in the first place. They complied with the security protocols developed by the Payment Card Industry Security Standards Council.

“It’s a little scary,” he said. “I think most businesses think they’re immune. You can think you’re on top of everything and they can still get you.”

In that, the small businesses and the large are in the same boat.

This month, Shaw’s Supermarkets announced a data breach, and six years ago, grocery rival Hannaford Supermarkets also had a major data breach.

The Maine attorney general’s website includes a list of 321 companies inside and outside of Maine which have had data breaches in the past year and a half that affected the credit cards and personal information of Mainers.

Earlier this year, the FBI issued a confidential report to a number of retail companies warning them to brace for more cyber attacks, according to a report by the Reuters news service. The FBI said it discovered some 20 hacking cases in the previous year using the malicious software used to swipe credit information from Target Corp. last holiday shopping season.

Otto isn’t the first small local company to be hit.

A story in the Portland Press Herald a year ago noted that the town of Cumberland, The Works Bakery cafe in Portland, and Agincourt Wallboard in Westbrook had all been targeted, along with major companies such as Facebook and Apple, and publications such as The New York Times and The Washington Post.

In the first six months of 2012, 36 percent of all targeted attacks were directed at businesses with 250 or fewer employees.

Shepherd said the data breach announced two days ago by United Parcel Service, which affected 51 franchises though none in Maine, sounds remarkably similar to the pizza chain’s experience. The UPS release said that many U.S. retailers received a government bulletin recently warning them about malicious software that could not be identified by standard anti-virus software. The company said the exposure stopped Aug. 11.

The Secret Service would not confirm that both data breaches were identified through the same batch of numbers recovered by investigators. The agency wouldn’t even confirm that Otto had been a target, because it doesn’t comment on who may or may not be part of an ongoing investigation, said David Watson, resident agent at the Portland Office of the Secret Service.

Watson did say that people are learning about more data breaches than they did five or 10 years ago in part because companies are monitoring them more closely and also because companies are keeping much more data than they once did.

Consumers who discover suspicious transactions on their credit or debit card statements are advised to contact their credit card company or bank immediately. They also may want to replace their credit cards, and change their password or pin numbers, as well.

The terminals in question served customers who used their credit or debit cards to purchase meals at the two Portland locations. Otto said it believes that fewer than 3 percent of the total number of transactions at either location between May 1 and Aug. 13 were potentially compromised.


Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.