People purchasing Domino’s Pizza online in India have their details being sold online for Rs. 4 crores on the Dark Web.
Domino’s India, one of the most popular pizza delivery chain, reportedly suffered a data breach that included internal company documents of the past seven years, private data belonging to over 250 employees, customer details from over 18 crore food orders, and over 10 lakh credit cards may have been saved during checkout and payments. The breach was reported by Sourajeet Majumder, who further reported the incident to Domino’s India and Cert-in, among other authorities. The database remains active on a dark web cyber raid forum, News18 could confirm via Majumder, and the hackers have demanded a ransom of about 50 BTC (approx. Rs 21.3 crore as of publishing) from Domino’s India, should the latter not wish for their data to be traded.
A Domino’s spokesperson was unavailable for comment, and efforts to reach the company remained unsuccessful at the time of publishing the story. According to Majumder, who also revealed the breach on Twitter, the attackers behind the breach are asking for a payment of $10,000 approx Rs. 7.5 lakh via cryptocurrency OmniCoin’s escrow module to offer a sample of the data that they have gotten hold of. This sample bundle seemingly contains examples of the kind of data that the breached Domino’s India database has, along with 5GB of the sample of data that the breached Domino’s India database has, and the entire files that the entire data set contains. The hackers have also confirmed that the group aims to build a searchable database front that may be accessible via TOR, and anyone willing to build the back-end API for them will be paid $1,000.
The breach is the second significant one of its kind, but much lesser in magnitude in comparison to the Mobikwik data breach that made headlines earlier this month. While Mobikwik’s continued denial of the breach and pointing fingers at other services for it led to widespread criticism of the company by cybersecurity researchers around the world, Domino’s India also appears to have avoided any disclosure to its customers as of now. News18 could not independently verify the claims made by the attackers as of now, but all evidence points to the breach most likely being authentic.
If true, the 13TB database that includes seven years’ worth of data from domino’s India contains residential addresses and payment instruction details of customers who placed orders with Domino’s India at any point since 2015. The data set is right now being sold on the dark web in two packages, with the smaller one costing BTC 2 (approx. Rs 85 lakh) and the full set costing BTC 8 (approx. Rs 3.4 crore) for any interested party. The move marks yet another cybersecurity incident, which raises yet another question mark over the lingering inattentive approach around data security that companies still have.