Adding to a slew of recent corporate data breaches involving Indians' data, millions of records of pizza chain Domino's customer data have allegedly been leaked online.
According to tweets from Israel based co-founder and Chief Technology Officer of cybercrime intelligence firm Hudson Rock, Alon Gal, the data is worth 13 terabytes. He tweeted Sunday that the data includes as many as 18 million order details, including phone numbers, emails, addresses, payment details, including one million credit card details. The data, said Gal, was up for sale on the dark web and the threat actor is asking for $550,000 for the data. The threat actor also had plans to build a search portal to enable searching the data, he added.
A company spokesperson for Dominos India said, "Jubilant FoodWorks experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact. As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident."
Jubilant FoodWorks is the parent firm of Domino's India.
Rajshekhar Rajaharia, the cybersecurity researcher who first alerted users about a big data leak at payments firm MobiKwik last month, said he had alerted India's cyber incident arm of the government Computer Emergency Response Team (CERT-In) about the the Dominos data leak in March.
"Again Big Data Leak! 20 Crore Order Details including 13 TB data of Domino's India alleged leaked from #DominosIndia Server. Data Includes mobile, email, name, home address, payment type and Social Login Tokens. It seems Financial data is not there. #infosec #GDPR," Rajaharia tweeted on Monday.
He further said that the Domino's data was earlier claimed to be in the possession of the same hacker who had accessed MobiKwik data. "It Seems, the same Hacker who alleged hacked #Mobikwik, was having #Domino's Access from Feb. 2021. I had alerted CERT-IN on 5th march 2021 about this. Later first Hacker sold server access to some other reseller. Now They are planning to create another search engine," he added.
"Domino’s India joins a string of hacking incidents involving Indian firms in the recent past, including Bigbasket, BuyUcoin, JusPay, Upstox and others. There needs to be an increased focus on cybersecurity - based on our research, on average, an organization in India has been attacked 1,681 times a week in the last 6 months. This is more than 2.5x higher than the global average of 667 attacks globally," said Sundar N Balasubramanian, Managing Director, Check Point Software Technologies, India and SAARC.
The alleged breach at Domino's once again highlights the lack of legal and operational remedies available to Indians in case their data is leaked online.
India does not have a specific legislation dealing with user data breach cases or penal actions relating to the same as yet. The Personal Data Protection Bill, which is proposed to deal with such cases of data breaches has been pending in Lok Sabha since 2019.
"Customers need to be made aware of the breach and provide means to protect against future misusing of their personal and credit card data. Organisations in India have to be made liable for such breaches with enough financial implication making data security a top priority in every enterprise," said Sonit Jain, CEO of cybersecurity firm GajShield Infotech.
The alleged data breach at MobiKwik allegedly affected the data of 3.5 million of its users, exposing know-your-customer documents such as addresses, phone numbers, Aadhaar card, PAN cards and so on. The size of the data was reported to be 8.2 TB. MobiKwik has denied the breach.
Earlier this month, Facebook and LinkedIn also saw data leaks of millions of users, including the data of Indian users. While both admitted that customer data had been leaked, both said it wasn’t hacked from their systems, but had been scraped. This means using an application to extract valuable information from a website.
Dear Reader,
Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.
As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.
Support quality journalism and subscribe to Business Standard.
Digital Editor
RECOMMENDED FOR YOU