Around May 24, 2021, Domino’s Pizza brand, run by JubilantFoodworks Limited in India has had its data breached and made public. Detailsof orders made on Domino’s online using app or website are available for searchby anyone.
The data was authentic and exposed full name, full address,GPS coordinates of the delivery location, email address, mobile number.
The public interface created by those who provided thisaccess claim that financial details like credit card, debit card, etc are alsoavailable but the company denies any possibility of this since they claim thatfinancial data is never processed or saved on Domino’s Pizza computers.
Further, the hackers were offering the entire data dump, 13terabytes of purportedly allegedly authentic employee and customer details, forsale to anyone who is willing to talk to them via email mentioned on theirpublic-facing search engine of the breached data.
The company accepted that a breach was made and the mentioneddata were stolen. However, the company claimed that financial data was notstolen, and that this incident did not result in any operational or businessimpact.
Further, the company then took action and claimed, "Wemoved quickly to contain the breach and hired an external agency to do an impactassessment. Domino's, as a policy, does not store financial details of userssuch as complete credit card number, CVV, passwords, etc and therefore, no suchinformation was compromised."
The company also approached Delhi High Court to get the Ministryof Electronics and Information Technology; and the Department of Communicationsto block access to the website.
The access to the link https://slf2rrahypck3bwckpdohsnhpeqrb3nhvwznjmarmweofwnptowe4mad.onion.ly/?s=08was blocked from Indian Internet Service Providers (ISPs) and it was put onrecord that the hackers had also attempted to arrange money from the company byintimidating and attempting to extort ransom.
Though, the access to the link is available via a proxy likeKProxy and entering the linkin the box provided there. But, even if access to the site can be arranged viaa proxy, the hackers havewithdrawn the free search facility.
An email address is provided and a forumfor publicly displayed negotiations is mentioned on the page. The page alsowarns of not buying the data from other channels like Telegram app.
The original message by the alleged hackers was,
“We breached Domino's India and got 13TB all internal filesof 250 employees from IT, Legal, Finance, Marketing, Operations etc. We got allcustomers details and 180M order details (name, ph number, email, deliveryaddress, payment details) and 1M credit cards used to purchase on Dominos app.
Internal files contain all files form 2015-2021 and lots ofoutlook mail archives. Breach - April 2021.
Company details:
Revenue: $500M lasy FY
Employees: 30000
Stores: 1260
Serious buyers PM with your price. One sale only.”
The data appears to have been boughtby someone.
So, your data is lying somewhere with someone waiting to beexploited.