Previously, a preliminary report from UpGuard had given Domino’s Pizza’s security posture a “B-grade” rating, based on the security folds implemented by the pizza serving giant. It had scored 713 out of the total 950 points which are awarded based on UpGuard’s internal parameters and standards. However, it seems like this incident has come back to haunt them. Domino’s Pizza is one of the most popular pizza chains in India and has reportedly faced a data breach incident that leaked nearly 13TB worth of its internal data. The data breach was brought to light by Alon Gal, a renowned cybersecurity researcher and chief technical officer at Hudson Rock, an Israeli cybersecurity firm.
Alon tweeted his findings on Sunday stating that the leaked information included 180 million order details of Domino’s Pizza deliveries across India. These order details include the following:
- Customer names
- Phone numbers
- Email IDs
- Delivery address
Additionally, the payment details of certain orders made through the Domino’s India app have also been compromised, exposing nearly one million credit card details of its customers.
Related News:
Threat actor claiming to have hacked Domino’s India (@dominos) and stealing 13TB worth of data.
Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards. pic.twitter.com/1yefKim24A
— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021
According to Alon, apart from the order and credit card details, threat actors claimed to have internal data which includes employee details of more than 250 employees across various departments such as IT, legal, finance, marketing, operations, etc.
Alon’s investigation also found that the threat actor who has put up a sale post for the leaked information over a dark web forum has two offers at hand – 2 bitcoins and 8 bitcoins respectively — and can also be bought cumulatively for 10 bitcoins (no discount on offer here: pun intended). This means the complete data set is being sold for nearly $550,000 to a single user. However, the malicious actors have alternatively offered the same data set for 50 bitcoins (approximately $28,46,000) to Domino’s India if it did not want the data to “go public.”
The threat actor is looking for around $550,000 for the database and saying they have plans to build a search portal to enable querying the data. pic.twitter.com/o2UuA7LWXJ
— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021
Apparently, the post from the adversaries suggests that they are also trying to create a data leak search portal like the one which was created in the recently surfaced MobiKwik data breach, where users were able to post queries on the leaked data. However, their technical knowledge seems to be limited to the front end and they struggle when it comes to MySQL. Thus, they have posted a freelancing offer for this and are ready for a one-time payment of $1,000. They have asked interested users to send a backend API consisting of one MySQL and one MongoDB table with some backend code to take search input and display output in a JSON format.
Later, Alon Gal tweeted that “plenty of large-scale Indian breaches are taking place lately. This is worrying,” and we second that.
Related News:
India’s Data Breach Saga Continues; Country’s Second Largest Stockbroker, Upstox, Hit!
