wordpress blog stats
Connect with us

Hi, what are you looking for?

Data leak from Dominos India affects 180 million users

Data belonging to around 180 million users who ordered food from Dominos India was leaked online and is now available for sale. According to a searchable website allegedly created by the hacker, this writer spent Rs 4,378 across six orders placed on Dominos India’s website in 2019.

While Dominos India contended that no payment information was leaked, sensitive details such as users’ addresses, order size, total spends, name, email, mobile and GPS location was breached in this cyber attack. The leak was first discovered by cybersecurity researcher Rajshekhar Rajaharia. On this website created by the hacker, one can view a user’s order history by entering their mobile number and email.

This is not the first time that the data leak has been reported. In April, a cybersecurity researcher claimed that credit card data of nearly 1 million users who purchased Domino’s Pizzas online was being sold on the dark web. Alon Gal of Hudson Rock, who had recently flagged the Facebook data breach, claimed that the hackers were asking for nearly Rs 4 crore (USD $550,000) for a 13TB database containing more than 180 million order details, names, phone numbers, emails, addresses, payment details and a “whopping 1,000,000 credit cards”. From the screenshots shared by Gal in his tweet, it looked like the database includes the company’s internal files from 2015–2021.

Advertisement. Scroll to continue reading.

Rajaharia told MediaNama that the same hacker behind the MobiKwik leak is behind the Dominos leak. “Last month, this hacker revealed that they had accessed Dominos’ cloud-server in February-end this year, and then later sold the data exploit to another hacker in April. This second hacker has now uploaded the data on the website. I had informed the Computer Emergency Response Team-India on March 5,” he said.

According to the website, around 13 terabytes worth of employee files and customer details are available. Around 180 million rows of data can be searched and queried on the website. The hackers said that “payment details and employee files will be made public soon.” This writer found details of their total spends, total order, last order time and payment and the delivery address with the GPS coordinates. This writer was not made aware of the leak by Dominos India either via email or text message.

MediaNama is not linking out to the website as part of our responsibility to not publicise the data uploaded by the hacker.

Dominos says payment details not leaked, secured by payments provider

A statement from a spokesperson at Jubilant FoodWorks Ltd, the company licensed to operate Dominos Pizza in India, said that a team of experts are investigating the matter and that the company has taken necessary actions to contain the incident. “Jubilant FoodWorks experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact.  As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised,” the spokesperson said over email.

Advertisement. Scroll to continue reading.

As of September 2020, around 99% of Domino’s Pizza sales took place online compared. The share of mobile ordering as part of online ordering also increased to 98%, while Dominos Pizza’s mobile app has 43.8 million downloads as of September 2020 compared to 25.3 million in the previous year.

According to Rajaharia,  since Jubilant does not store card or payment details entered by customers either on Dominos’ website or mobile application, payment data has not been leaked. “But one does not know if the hacker has accessed payment details through the hack since Dominos can fetch card payment data from their payments provider,” he said.

According to the Terms & Conditions on Dominos India’s website, Paytm is the payments provider and that “customer saved card (s) details on Dominos India Application, Progressive Web Applications or Desktop, is always saved by Paytm (except CVV number) and not by JFL.” Paytm declined to comment.

“Customer’s personal cards as shown on Dominos India Application, Progressive Web Applications or Desktop, are always fetched from Paytm. Domino’s India Application can also fetch Customer card information from Paytm. Although the same shall not be saved on the Domino’s India Application. Domino’s India Application will always seek Customer permission prior to fetching Customer card information from Paytm or even save a new card,” the website said.

Growing cyber incidents and data leaks

Cyber-crimes have been on the rise ever since the COVID-19 pandemic began early this year, due to an increased reliance on digital tools and the internet. According to a study by software firm Micro Focus, Indian organisations have experienced a 58% increase in cyber-security challenges over the last few months, while there was 51% increase in the challenge to investigate or remediate incidents. Around 98% of Indian organisations are short-staffed when it comes to security, the study said.

The AI data breach is one of the most significant data breaches in recent history, given that customer information stored on their servers for nearly a decade has been compromised. Indian businesses have suffered numerous data breaches in recent months. While incidents of data breaches and personal information being sold on the dark web are increasing year-on-year, the Indian government is yet to introduce a personal data protection law in Parliament. Recently, the government said it is working on a new national cyber security strategy.

Advertisement. Scroll to continue reading.

In January, millions of customer records and sensitive card data belonging to millions of people were leaked on the dark web due to a security compromise at a server used by Juspay, a major payment gateway provider in the country. This was reported to be the largest data breach in the country in history at the time. In March sensitive data belonging to millions of cardholders and users stored on MobiKwik’s servers had been compromised and put up for sale online. And in April, the personal details of 2.5 million users stored by stock-market brokerage Upstox was leaked.

Also Read

 

Written By

Reports on banking, payments, fintech and crypto-curencies. Additional reporting on media regulations, data protection and other areas.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.

News

When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

News

In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

News

By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ