A data breach at Domino’s Pizza has come to light. This data breach at Domino’s Pizza has resulted in data theft of 13TB worth of data. Alon Gal, CTO of security firm Hudson Rock, in a tweet reported this incident first.
The stolen data of over 13TB contains information of 180,000,000 orders. This data includes names, phones numbers, emails, addresses, payment details, and 10,00,000 credit card details.
Gal stated that the threat actor is looking for about $550,000 (roughly Rs 4 crore) for the database. They also intend to create a search portal to allow querying the data.
In an article by We for News, it was stated by independent cybersecurity research Rajshekhar Rajaharia that on March 5 he had alerted CERT-In about this possible breach.
“I had alerted CERT-in about a possible Domino’s Pizza India hack where the threat actor got data access with details like 200 million orders and personal data of the users too. The hacker, however, did not provide any sample,
Rising Data Breaches
There is a rising trend of data breach cases in India. This data breach at Domino’s India is a fresh one on the list. Facebook data breach, LinkedIn data breach impacting 500mn users, Data leak of 3.5mn users of Mobikwik, and the report of 7 lakh+ users impacted by Moneycontrol data breach are some incidences of last two weeks only.
In November 2020, BigBasket had filed a complaint with Bengaluru’s Cyber Crime Cell November 2020 to check allegations that a hacker had placed the online grocer’s data up for sale on the dark web for over $40,000.
In May 2020 Unacademy revealed a data breach that affected 22 million users’ accounts. Zee 5 was also hacked, exposing the personal information of 9 million users. A hacking group alleged that India’s vital information infrastructure had been breached, and a study claimed that China was behind the Mumbai blackout.
While India’s Data Protection law is still under regulatory waters, there is a strong need to inculcate healthy data practices and data protection to secure user privacy. Furthermore, there is a strong need to increase competition for providing data protection and not just data accumulation.
Update (24th May, 2021): ToI reported that the attacker has made the entire database public. The attacker has generated a search link that says ‘180m rows searchable’, also declaring that payment details and employee files will be made public soon. A search query against the database reveals all addresses at which an order has been delivered, along with phone numbers and email.
Update (25th May, 2021): Domino’s officially acknowledges the incidence of the data breach. Although the company accepts the breach, there is a lot that customers should be aware of. The company should disclose exactly what data was breached and the number of users who were affected by the breach.
The company should also disclose if it follows reasonable security practices as per the IT Rules. This should be done to provide assurance to the customers more than just acknowledging the breach.