×

Domino's India hacked; customer data allegedly up for sale on the dark web

Company admits data breach, says no financial data in leak

Representational image

As digital transactions surged in the aftermath of the COVID-19 pandemic, the risk of data theft grew with it. Of late there have been several high profile data leaks—Facebook, Mobikwik, Upstox to name just a few. Now, millions of records from Domino’s India, the country’s largest pizza delivery chain, have allegedly been put up for sale on the deep web by hackers. 

The information was first reported by Alon Gal, the co-founder and CTO at cybercrime intelligence firm Hudson Rock.

“Threat actor claiming to have hacked Domino’s India and stealing 13TB worth of data. Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards,” he tweeted.

Gal further added that the hacker was looking for around $550,000 for the database and saying they have plans to build a search portal to enable querying the data.

Separately, Rajshekhar Rajaharia, an independent internet security researcher, alleged that 20 crore order details were allegedly leaked from Domino’s India server. According to Rajaharia, the data included mobile numbers, email, names, address, payment type and social login tokens. However, he believes the dump does not include financial data.

A spokesperson for Jubilant Foodworks, which operates the Domino’s pizza chain in India, acknowledged there had been a data security issue recently. However, the spokesperson said there was no financial data that was accessed.

“Jubilant Foodworks experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact. As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised,” the spokesperson said.

Last month, security researchers including Rajaharia had claimed that know-your-customer (KYC) information of 3.5 million users of payment app Mobikwik had allegedly been put up for sale on the dark web.

Rajaharia feels the same hacker may be linked to the Domino’s leak too and he had alerted The Indian Computer Emergency Response Team (CERT-In) about it.

“It seems, the same hacker who allegedly hacked Mobikwik, was having Domino’s access from February 2021. I had alerted CERT-In on March 5, 2021 about this. Later, [the] first hacker sold server access to some other reseller,” he alleged.

Domino’s joins several big organisations like Facebook, LinkedIn, Mobikwik and BigBasket that have seen data breaches over the last year, at a time when millions of employees are working from home and consumers too are doing more transactions digitally.

According to a report by IBM earlier this year, India faced the second most number of cyberattacks after Japan in the Asia Pacific region in 2020.