Has Domino’s India data been hacked?
That’s what an Israeli cyber expert has claimed on the microblogging site Twitter.
Hackers have hacked into Domino’s India data, stole 13TB worth of data and are selling it on the dark web Tweeted Israeli cyber expert Alon Gal.
The hackers are allegedly selling the stolen data at a price of 10 BTC (bitcoin), which is approximately US$569,506 or INR 4.26 crore.
“Threat actor claiming to have hacked Domino’s India (@dominos) and stealing 13TB worth of data. Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details and a whopping 1,000,000 credit cards,” Alon Gal, Co-Founder and CTO of Israeli cybercrime intelligence firm Hudson Rock tweeted on Sunday.
As proof of Domino’s India data hacked claim. Gal has also tweeted an email screenshot from the hackers, sharing the details of data stolen.
That includes Domino’s employees and customers details – name, phone number, address and credit cards.
“We have breached Domino’s India and got 13TB all internal files of 250 employees, from IT, Legal, Finance, Marketing, Operations, etc. We got all customers details and 180 M (million) order details (name, phone number, email, delivery address, payment, and 1M (million) credit cards used to purchase on Domino app,” hackers claimed in the email.
What appears so far, the hackers targetted users of the Domino’s Pizza mobile app in India. Most apps that facilitate some kind of financial transactions does store credit or debit card and other user details. And that makes mobile apps and their users highly vulnerable to hackers and cyberattacks.
“Internal files contains all files from 2015-2021 and lots of outlook mail archives. Breach – April 2021,” hackers mentioned in the email.
Further, Gal in his other tweet has shared an email screenshot with hackers quoting a price for Domino’s India hacked data to potential buyers.
“Around 10 BTC (We have two offers at 2 BTC and 8 BTC) Domino’s might pay nearly 50 BTC if they don’t want this to go public,” hackers wrote in the email.
Interestingly, whoever these hackers or group of threat actors are. They seem to be well familiar with the recent hacking incidents in India. This can be understood from what they have mentioned in the email and their purpose behind Domino’s security breach.
“We have plans to build a search portal like other groups which did MobiKwik breach last month on RaidForums,” the hackers revealed.
Hackers seek help
Besides, revealing their plans, the hackers strangely have confessed having difficulties in managing databases systems such as MySQL and MongoDB. More so, they are even ready to pay around $1000 to anyone having MySQL and coding experience. They seek someone’s help to fix database search queries and output.
In all probability, this could be the first incident in which the hackers are not just selling stolen data, but are also sharing their difficulties and seeking someone’s help for which they are ready to pay as well.
Claims made by Hudson Rock’s Gal have not been verified or challenged independently so far.
Domino’s denies allegations
However, the Noida based Jubilant FoodWorks – a master franchise for Domino’s Pizza in India, Nepal, Sri Lanka and Bangladesh has somewhat denied the data stolen or storing allegations as per a media report.
“Jubilant FoodWorks experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident hasn’t resulted in any operational or business impact,” the company said in a statement.
“As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident,” the company added.
Jubilant statement contradictory
Although the company has rejected the data breach claims, its statement seems to contradict what it stated.
“Jubilant FoodWorks experienced an information security incident recently” – the company said in its statement.
So what does it mean? Was there any security breach incident or an attempted security breach? That does put the Indian foodservice company under the scanner and certainly, this matter requires a thorough investigation.
India lacks stringent cyber laws
Unlike in the US and Europe India still lacks stringent laws around cybersecurity and data protection, which mandates organisations to disclose any incidents of a data breach or security compromise.
Because of the weaker IT legal framework in India, companies don’t face any financial penalties or aren’t required to compensate customers affected by cybercrimes such as data breaches.
However, the Domino’s India data breach incident isn’t the first or last to occur in India. There have been several incidents of data hacking or security breaches in India in recent years.
Increased focus on cybersec
Companies and businesses in the country need increased focus on cybersecurity and to strengthen their IT systems and applications.
“Domino’s India joins a string of hacking incidents involving Indian firms in the recent past. Including Bigbasket, BuyUcoin, JusPay, Upstox and others,” said Sundar N Balasubramanian, MD – Check Point Software Technologies, India and SAARC.
“There needs to be an increased focus on cybersecurity. Our research showed on average, an organisation in India has been attacked 1681 times a week in the last 6 months. This is more than 2.5x higher than the global average of 667 attacks globally,” added Balasubramanian.
According to Balasubramanian, organisations in India concerned about preventing data loss should consider a solution having certain capabilities such as tracking and controlling any type or format of sensitive information in motion, such as e-mail, web browsing and file-sharing services.
It should educates and alerts end-users on proper data handling without involving IT/security teams, and allows real-time user remediation. It should be centrally managed across the organisation’s entire IT infrastructure from a single console and it should leverage out-of-the-box best practice policies, he pointed.
Incident remains unsolved
Though Domino’s India data hacked incident remains unverified “If it’s indeed true, that customer data along with financial data like a credit card has been leaked. Then it shows enterprise has still not learnt from others. They don’t give data security the importance it deserves,” said Indian firewall brand GajShiled Infotech CEO Sonit Jain.
“They don’t follow basic steps to ensure that customer data is well protected, especially financial information. Customers need to be informed of the breach. Provide them with means to protect against future misusing of their personal and credit card data,” added Jain.
“Organisations in India have to be made liable for such breaches with enough financial implication, making data security a top priority in every enterprise,” emphasized Jain.