Multinational Restaurant Chain Data Breach Resurfaces; Customer Location, Mobile Numbers Exposed

Source: This article was first published on Inc42.

  • Data related to over 18 Cr orders from pizza chain Domino’s India appeared on the dark web last month
  • Now, it has been put up on the dark web as a search engine of sorts, allowing hackers to track and trace users down to their visited locations
  • The data includes names, email addresses, mobile numbers, GPS coordinates and more related to Domino’s pizza orders

After data related to over 18 Cr orders from pizza chain Domino’s India appeared on the dark web last month, now the same database has been made public by the hacker or hacking group. The data has been put up on the dark web as a searchable database allowing hackers to track and trace users down to their visited locations.

Last month, a threat actor claimed to have stolen 13 TB of data from Domino’s India, putting the personal information of 250 employees across functions, as well as customer details from 18 Cr orders.

Now this data has been put up on a search engine of sorts, according to cybersecurity researcher Rajshekhar Rajaharia. He further added that this includes names, email addresses, mobile numbers, GPS coordinates and more related to Domino’s orders.

In a screenshot posted on Twitter, one can see that the data can be used to create a map of a user’s visited locations by matching the phone number to the GPS location data. “The worst part of this alleged breach is that people are using this data to spy on people. Anybody can easily search any mobile number and can check a person’s past locations with date and time. This seems like a real threat to our privacy,” Rajaharia said.

Also Read:  6 Reasons Why You Need Incident Response as a Service

The screenshot of the leaked data from Domino’s India.

News about the data leak was shared last month on Twitter by Alon Gal, cofounder and CTO of cybercrime intelligence firm Hudson Rock. The database was being sold on the dark web for around two to eight bitcoins, with a 50 bitcoin ransom for the company to block the sale of its data.

The database includes personal details of the customers provided to Domino’s India when they placed an order through its website or app. These include names, phone numbers, email IDs, addresses and payment card details. However, the hacker has denied sharing any sample of the stolen data with cybersecurity researchers, which means that claims about the stolen data, its size and contents are just allegations at this point in time.

According to screenshots of the leaked database shared by Gal on Twitter, the data stolen from Domino’s India’s database is from the period between 2015-21, although this remains unverified. Responding to the data breach allegations last month, a Domino’s India spokesperson told Inc42 that while the company had detected an ‘information security’ incident recently, no financial information of users had been compromised.

“The incident has not resulted in any operational or business impact. As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken the necessary actions to contain the incident,” the spokesperson had said at the time.

Also Read:  GDPR Compliance and Significance of Securing PII

The company did not respond to questions about the severity of the customer location and phone numbers data being leaked.

Hackers Target Indian Startups

A report by IBM’s ‘Cost of a Data Breach Report 2020’ states that Indian companies witnessed an average $2 Mn total cost of a data breach in 2020, representing an increase of 9.4% from 2019.  A total of over 26,100 Indian websites were hacked in 2020 amid the pandemic as per the data recorded by the state-owned Indian Computer Emergency Response Team (CERT-In).

In March, Network18-owned finance portal MoneyControl also suffered an alleged data breach, one that supposedly affected 7 lakh users. Days before, online discount broking platform Upstox suffered a data breach that allegedly affected 2.5 Mn users. And last month, fintech startup Mobikwik denied claims about a data breach impacting 100 Mn users, despite proof of the data belonging to Mobikwik users.

It is worth noting that in February, the Reserve Bank of India (RBI), alarmed by the state of data breaches affecting Indian startups and payments processors, issued new guidelines which stated that payment aggregators and gateways would not be allowed to store the card details of a customer online. The decision came a few weeks after a data breach affecting payments processor Juspay led to over 10 Cr user records being leaked online.

Also Read:  Enhancing the Security Posture of an Insurance Company with VAPT

As of now, no action has been taken against any of these platforms for not keeping customer data safe. In a hyper-connected world with tech platforms often having a overlap of users, such data leaks have a cascading impact on the entire ecosystem.

In November last year, BigBasket was faced a data breach that exposed the personal details of around 2 Cr users. The data was put up for sale for around INR 30 Lakh and in April this year, the data was leaked online in a similar manner to how the Domino’s India database has been leaked. Since then, many users who have been impacted in the BigBasket leak have complained that their Flipkart accounts have been hijacked.

The problem here could potentially extend beyond Flipkart. Because in this case, it is not Flipkart’s data that has been leaked but rather passwords and usernames belonging to BigBasket users, who also have accounts on Flipkart. Many of these users are likely to have used the credentials they used for BigBasket for other platforms.