in

Yet another data leak: One million credit cards of Domino’s Pizza customers

Jubilant  Foods runs the chain of Domino's Pizza stores in India.

Domino’s India data that included sensitive customer information such as their names, phone numbers, and credit card details has allegedly been breached and put on sale on the dark web.

According to tweets by Israel-based Co-Founder and Chief Technology Officer of cybercrime intelligence firm Hudson Rock, Alon Gal, the data is worth 13 terabytes (TB). He tweeted on Sunday that the data includes as many as 180 million order details, including 1 million credit card details.

The data, said Gal, was up for sale on the dark web. The threat actor, he said, was asking for $550,000 for the data. The threat actor also had plans to build a search portal to enable data search, he added.

A company spokesperson for Domino’s India said, "experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact. As a policy, we do not store financial details or credit card data of our customers, thus, no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident.”

is the parent firm of Domino’s India.

Rajshekhar Rajaharia, the cybersecurity researcher who first alerted users about a big at payments firm MobiKwik last month, said he had alerted India's cyber incident arm of the government Computer Emergency Response Team (CERT-In) about the the Domino’s in March.

“Again big data leak! 200 million order details, including 13 TB data of Domino's India, allegedly leaked from Domino’s India server. The data Includes mobile numbers, email IDs, names, home address, payment types, and social login tokens. It seems the financial data is not there,” tweeted Rajaharia on Monday.

He further said that the Domino's data was earlier claimed to be in the possession of the same hacker who had accessed the MobiKwik data. "It seems the same hacker who allegedly hacked #MobiKwik had access to Domino's from February. I had alerted CERT-In on March 5. Later, the first hacker sold server access to some other reseller. Now they are planning to create another search engine," he added.

“Domino’s India joins a string of hacking incidents involving Indian firms in the recent past, including BigBasket, BuyUcoin, JusPay, Upstox and others. There needs to be an increased focus on cybersecurity. Based on our research, on average, an organisation in India has been attacked 1,681 times a week in the past six months. This is 2.5x higher than the global average of 667 attacks internationally," said Sundar N Balasub­ramanian, managing director-India and Saarc, Check Point Software Technologies.

The alleged breach at Domino's once again highlights the lack of legal and operational remedies available to Indians in case their data is leaked online.

India does not have a specific legislation dealing with user data breach cases or penal actions relating to the same as yet. The Personal Data Protection Bill, which is proposed to deal with such cases of data breaches, has been pending in the Lok Sabha since 2019.

"Customers need to be made aware of the breach and provide means to protect against future misuse of their personal and credit card data. Organisations in India have to be made liable for such breaches with enough financial implication, making data security a top priority in every enterprise," said Sonit Jain, chief executive officer of cybersecurity firm GajShield Infotech.

The alleged data breach at MobiKwik allegedly affected the data of 3.5 million of its users, exposing know-your-customer documents, such as addresses, phone numbers, Aadhaar numbers, permanent account numbers and so on. The size of the data was reported to be 8.2 TB. MobiKwik denied the breach.

Earlier this month, Facebook and LinkedIn also saw data leaks of millions of users, including the data of Indian users. While both admitted that customer data had been leaked, both said it wasn’t hacked from their systems, but had been scrapped. This means using an application to extract valuable information from a website.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor


RECOMMENDED FOR YOU






Reference