Data leak with consequences for Domino’s Pizza

June 16, 2014 |

Itnews reports in Domino’s Pizza blackmailed over mass data leak that hackers who stole personal information of its customers, described as 600,000 customer details, want  €30,000 for the data.   It is a huge breach of data security which was effected through the vulnerability in an old ordering site.  If that is the case Domino’s has a real responsibility.  Organisations which fail to maintain proper data security practices, which includes upgrading old platforms and sites, can’t claim to be victims of a hacking attack along with those whose information is interfered with.

The article provides:

Fast food giant Domino’s Pizza has been held to ransom for €30,000 (A$43,500) after hackers stole over 600,000 customer details from a legacy platform used by the company’s European operations.

A group named Rex Mundi last week claimed to have breached the systems of Domino’s operations in Belgium and France, and captured large amounts of customer data. Hours later, the group demanded the €30,000 from Domino’s in exchange for not releasing the data.

The paste containing customer data has since been removed.

A Domino’s Australia spokesperson revealed the data in question involved names, email addresses and phone numbers. No financial records or bank account details were accessed as the company does not hold such data on file, the spokesperson said.

No Australian, New Zealand, Netherlands or Japanese customers were affected.

The hackers were able to access the data through a vulnerability in an old ordering site created in Europe, which is being transitioned to the new Australian-created platform over the next 18 months.

“We value customers’ privacy and we immediately took appropriate steps to close the vulnerability and are continuing to monitor the situation closely. The relevant teams are working closely with local police in relation to this matter,” a spokesperson said.

Domino’s France has not indicated whether it will pay the ransom, but confirmed the data breach via Twitter.

The French arm of the global pizza delivery conglomerate said it uses encryption to protect commercial data, but in this case it did not help.

“The hackers we encountered are seasoned professionals and it is likely that they are able to decode the encrypted information, including passwords.”

“We sincerely regret the situation and take the illegal access [of customer data] very seriously,” it stated and advised customers to change their passwords.

But the hackers have claimed via Twitter that security provisions were not as strong as the company claims.

@dun4n The @dominos_pizzafr passwds are stored as unsalted MD5 hashes. Anyone can decrypt them either online or with CAIN.

— Rex Mundi (@RexMundi_Anon) June 14, 2014

Domino’s online operations in France and Belgium are owned by ASX-listed Domino’s Pizza Enterprises, which has been in the process of transferring its Australian-made iOS and Android apps to its European subsidiaries over the last 12 months.

None of the Australian created digital platforms were affected, a local spokesperson said.

The system in question may also have been hacked earlier than June 13. A letter to customers purporting to be from Domino’s European chief executive Andrew Rennie and published on a Belgian blog said the company suffered an attack on June 9 resulting in data being leaked.

 

One Response to “Data leak with consequences for Domino’s Pizza”

  1. Data leak with consequences for Domino’s Pizza | Australian Law Blogs

    […] Data leak with consequences for Domino’s Pizza […]

Leave a Reply