Domino's acknowledges data breach; Denies leak of million credit cards
Pizzas are usually considered bad for your health, but the latest Domino's India data leak could have serious consequences for your financial health as well. The latest security lapse has allegedly compromised customers' names, phone numbers, delivery addresses, and credit card details. The breach came to light after Alon Gal, CTO of Israeli cybersecurity firm Hudson Rock, tweeted about it on Sunday.
Threat actor claiming to have hacked Domino's India (@dominos) and stealing 13TB worth of data.— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021
Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards. pic.twitter.com/1yefKim24A
The fact that Domino's accounts for 70 percent of the country's pizza consumption and 16 percent of fast-food sales makes the leak all the more damning. The 13TB data cache allegedly includes a million credit card details and data on 180 million orders. Besides customers, personal details of more than 250 Domino's employees spanning IT, legal, finance, marketing, and operations verticals have been leaked.
Speaking to IANS, security researcher Rajshekhar Rajaharia claimed to have reported this breach to Indian Computer Emergency Response Team (CERT-in) on March 5. According to Rajaharia, the same hacker was also responsible for the MobiKwik data leak, reported earlier this month. He also claimed that the hacker had access to Domino's data as early as February this year.
Again Big Data Leak! 20 Crore Order Details including 13 TB data of Domino's India alleged leaked from #DominosIndia Server. Data Includes mobile, email, name, home address, payment type and Social Login Tokens. It seems Financial data is not there. #infosec #GDPR @jackerhack pic.twitter.com/glOAFpQCD7— Rajshekhar Rajaharia (@rajaharia) April 19, 2021
"Jubilant FoodWorks experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact," said Domino's parent company in a statement to Gadgets360.
Meanwhile, Domino's parent company Jubilant FoodWorks has issued a statement to Gadgets360 acknowledging the breach. However, the company denies storing customer financial details and claims that credit card data has not been compromised. Rajaharia has backed up Domino's claim by tweeting that he couldn't find financial data in the leak so far. Things could change though, as the hackers promise to reveal more.
"As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident," Domino's spokesperson said.
According to Gal's tweet, the hacker has put the data for sale on hacker forums. The seller expects a one-shot deal and has therefore demanded $550,000 for the massive Domino's database. The proof showcased on the forum makes it look like the hacker had access to Domino's database long enough to create a backup, but nothing can be determined conclusively at this juncture.
Such illegal transactions are usually accompanied by the perpetrators releasing a part of the database as proof for verification. However, this leak is said to have occurred earlier and the hacker is apparently putting together a searchable database as proof for potential buyers. The search portal will allow affected users to query the database to see if they have been compromised.