Domino’s India, the popular pizza delivery chain, reportedly faced a data breach that includes internal company documents of the past seven years, private data belonging to over 250 employees, customer details from over 18 crore food orders and over 10 lakh credit cards that may have been saved during checkout and payments. The breach was reported by Sourajeet Majumder, who further reported the incident to Domino’s India and Cert-In, among other authorities. The database remains active on a dark web cyber raid forum, News18 could confirm via Majumder, and the hackers have demanded a ransom of 50 BTC (approx. Rs 21.3 crore as of publishing) from Domino’s India, should the latter not wish for their data to be traded.
A Domino’s spokesperson was unavailable for comment, and efforts to reach the company remained unsuccessful at the time of publishing the story. According to Majumder, who also revealed the breach on Twitter, the attackers behind the breach are asking for a payment of $10,000 (approx. Rs 7.5 lakh) via cryptocurrency OmniCoin’s escrow module to offer a sample of the data that they have gotten hold of. This sample bundle seemingly contains examples of the kind of data that the breached Domino’s India database has, along with 5GB of sample files and the entire list of files that the entire data set contains. The hackers have also confirmed that the group aims to build a searchable database front that may be accessible via TOR, and anyone willing to build the back-end API for them will be paid $1,000.
The breach is the second significant one of its kind, but much lesser in magnitude in comparison to the Mobikwik data breach that made headlines earlier this month. While Mobikwik’s continued denial of the breach and pointing fingers at other services for it led to widespread criticism of the company by cyber security researchers around the world, Domino’s India also appears to have avoided any disclosure to its customers as of now. News18 could not independently verify the claims made by the attackers as of now, but all evidence points to the breach most likely being authentic.
If true, the 13TB database that contains seven years’ worth of data from Domino’s India contains residential addresses and payment instrument details of customers who placed orders with Domino’s India at any point since 2015. The data set is right now being sold on the dark web in two packages, with the smaller one costing BTC 2 (approx. Rs 85 lakh) and the full set costing BTC 8 (approx. Rs 3.4 crore) for any interested party. The move marks yet another cyber security incident, which raises yet another question mark over the lingering lackadaisical approach around data security that companies still have.