Global pizza giant Domino’s suffered a major data breach in March that involved a hacker gaining access to the company's India-based database that stored data associated with over 180 million orders as well as financial information of more than a million customers.
According to Alon Gal, CTO of security firm Hudson Rock who discovered the breach, the database owned by Domino's, which also contains the data of 250 employees based in India, contains 13TB of data and has been put up for sale by a hacker on the Dark Web. The data on offer includes over a million customers' names, email IDs, phone numbers, delivery address, and payment details.
According to Gal, cyber criminals are planning to sell the entire database to the highest bidder for 10 bitcoins, or approximately £396,000. They are also planning to create a search portal to enable querying of the data.
Recently, security researcher Sourajeet Majumder also tweeted a few screenshots of the hacker’s communication that confirmed that as of now, the hackers have two offers of selling the data for 2 and 8 bitcoins (depending on the package the buyer wants). Dominos’s India has also been asked by the hackers to pay up to 50 bitcoin if it wants to prevent the database from being sold to the highest bidder on the Dark Web.
When Gadgets 360 reached out to Domino's India, a spokesperson said that Jubilant FoodWorks, the Master Franchisee of Domino’s Pizza in India, Bangladesh, Sri Lanka and Nepal, did experience an information security incident recently but no financial information of customers was compromised.
"No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact. As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident,” the spokesperson said.
According to security researcher Rajashekhar Rajaharia, the theft of Domino's database is the work of the same hacker who stole the data of nearly a hundred million Indian citizens from Indian mobile payments company MobiKwik in January this year.
More than 8.2TB of MobiKwik user data was stolen by a hacker named Jordan Daven and the data records included names, phone numbers, email addresses, scrambled passwords, GPS locations, transactions logs, and partial payment card numbers of Indian citizens. The data repository was put up for sale on the Dark Web for 1.2 bitcoin which translates to roughly £51,402.