Domino’s India data hacked? That’s what an Israeli cyber expert has claimed on the microblogging site Twitter.
Hackers have hacked into Domino’s India data, stole 13TB worth of data and are selling it on the dark web. Tweeted an Israeli cyber expert Alon Gal. The hackers allegedly are selling the stolen data at a price of 10 BTC (bitcoin), which is approximately $ 569,506 or INR 4.26 crore.
“Threat actor claiming to have hacked Domino’s India (@dominos) and stealing 13TB worth of data. Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details and a whopping 1,000,000 credit cards,” Alon Gal, Co-Founder and CTO of Israeli cybercrime intelligence firm Hudson Rock tweeted on Sunday.
Evidence of Domino’s India data breach claim
As proof of Domino’s India data hacked claim. Gal has also tweeted an email screenshot from the hackers, sharing the details of data stolen. That includes Domino’s employees and customers details – name, phone number, address and credit cards.
“We have breached Domino’s India and got 13TB all internal files of 250 employees, from IT, Legal, Finance, Marketing, Operations, etc. We got all customers details and 180 M (million) order details (name, phone number, email, delivery address, payment, and 1M (million) credit cards used to purchase on Domino app,” hackers claimed in the email.
What appears so far, the hackers targetted users of the Domino’s Pizza mobile app in India. Most apps that facilitate some kind of financial transactions does store credit or debit card and other user details. And that makes mobile apps and their users highly vulnerable to hackers and cyberattacks.
“Internal files contains all files from 2015-2021 and lots of outlook mail archives. Breach – April 2021,” hackers mentioned in the email.
Further, Gal in his other tweet has shared an email screenshot with hackers quoting a price for Domino’s India hacked data to potential buyers.
“Around 10 BTC (We have two offers at 2 BTC and 8 BTC) Domino’s might pay nearly 50 BTC if they don’t want this to go public,” hackers wrote in the email.
Interestingly, whoever these hackers or group of threat actors are. They seem to be well familiar with the recent hacking incidents in India. This can be understood from what they have mentioned in the email and their purpose behind Domino’s security breach.
“We have plans to build a search portal like other groups which did MobiKwik breach last month on RaidForums,” the hackers revealed.
Hackers too face difficulties, seek someone’s help
Besides, revealing their plans, the hackers strangely have confessed having difficulties in managing databases systems such as MySQL and MongoDB. More so, they are even ready to pay around $1000 to anyone having MySQL and coding experience. They seek someone’s help to fix database search queries and output.
“But having difficulties with MySQL. Anyone with MySQL experience can contact us to help us build it. We have frontend HTML and Javascript. Just need backend API. Will pay around $1000 for probably one day work with 1 MySQL table and 1 Mongo(DB) table and some backend code to take search input and give output in JSON,” the hackers mentioned in the mail.
Probably, this could be the first of an incident where the hackers are not just selling stolen data. But are also sharing their difficulties and seeking someone’s help for which they are ready to pay as well. Claims made by Hudson Rock’s Gal have not been verified or challenged independently so far.
Domino’s Pizza master franchise denies hacking allegations
However, the Noida based Jubilant FoodWorks – a master franchise for Domino’s Pizza in India, Nepal, Sri Lanka and Bangladesh has somewhat denied the data stolen or storing allegations as per a media report.
“Jubilant FoodWorks experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident hasn’t resulted in any operational or business impact,” the company said in a statement.
“As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident,” the company added.
Jubilant FoodWorks statement appears contradictory
Although the company has rejected the data breach claims, its statement seems to contradict what it stated.
“Jubilant FoodWorks experienced an information security incident recently” – the company said in its statement – so what does it mean. Was there any likely security breach incident or an attempted security breach? That does put the Indian foodservice company under the scanner and certainly, this matter requires a thorough investigation.
India still lacks stringent cyber laws, regulatory filings
Unlike in the US and Europe. India still lacks stringent laws around cybersecurity and data protection, which mandates organisations to disclose any incidents of a data breach or security compromise.
Because of the weaker IT legal framework in India, companies don’t face any financial penalties. Or aren’t required to compensate customers affected by cybercrimes such as data breaches.
However, Domino’s India data breach incident isn’t the first or last one that ever occurred in India. There have been several incidents of data hack or security breaches in India in recent years.
Increased focus on Cybersecurity
Companies and businesses in the country need increased focus on cybersecurity and strengthen their IT systems and applications.
“Domino’s India joins a string of hacking incidents involving Indian firms in the recent past. Including Bigbasket, BuyUcoin, JusPay, Upstox and others,” said Sundar N Balasubramanian, MD – Check Point Software Technologies, India and SAARC.
“There needs to be an increased focus on cybersecurity. Our research showed on average, an organisation in India has been attacked 1681 times a week in the last 6 months. This is more than 2.5x higher than the global average of 667 attacks globally,” added Balasubramanian.
According to Balasubramanian, organisations in India concerned about preventing data loss should consider a solution having certain capabilities. Such as tracks and controls any type or format of sensitive information in motion, such as e-mail, web browsing and file-sharing services.
It should educates and alerts end-users on proper data handling without involving IT/security teams, and allows real-time user remediation. It should be centrally managed across the organisation’s entire IT infrastructure from a single console and it should leverage out-of-the-box best practice policies, he pointed.
Incident remains unverified yet
Though Domino’s India data hacked incident remains unverified yet. “If it’s indeed true, that customer data along with financial data like a credit card has been leaked. Then it shows enterprise has still not learnt from others. They don’t give data security the importance it deserves,” said Indian firewall brand GajShiled Infotech CEO Sonit Jain.
“They don’t follow basic steps to ensure that customer data is well protected, especially financial information. Customers need to be informed of the breach. Provide them with means to protect against future misusing of their personal and credit card data,” added Jain.
“Organisations in India have to be made liable for such breaches with enough financial implication, making data security a top priority in every enterprise,” emphasized Jain.