A popular multinational restaurant chain – Domino’s Pizza – has become a victim of a data breach for the second time this year. Reports suggest that data of over 180,00,000 orders are available on the dark web. This includes users’ phone numbers, email addresses, and GPS locations. The parent company, Jubilant FoodWorks, claimed that no payment or credit card details had been compromised.
This comes after several Indian companies became a victim of a data breach in recent time. This is not the first time Dominos suffered a data leak either. Nearly a month ago, in April, a group of hackers announced that they got access to Domino’s India servers and downloaded 13 TB of data comprising information of its employees and customers. Moreover, they reportedly also got one million credit card details that were transmitted during orders made via Domino’s mobile application.
Rajshekhar Rajaharia, an internet security researcher, through his Twitter account, revealed this information for public knowledge. “Again!! Data of 18 crore orders of Domino’s India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include name, email, mobile number, GPS location, etc,” Rajaharia said through his chain of tweets.
What is the Dark Web?
The dark web is a decentralized network of internet sites that try to make users as anonymous as possible by routing all their communication through multiple servers and encrypting it at every step, explains cybersecurity products manufacturer, Sophos Home. In layman’s terms, the word ‘dark’ in the dark web means ‘hidden’ or ‘secret’ referring to encrypted online content that is not indexed by conventional search engines. Dark Net, as it’s also called, does not appear on search engines that you use in your day-to-day lives. These constitute small, large, and popular networks – friend-to-friend and peer-to-peer – such as Freenet, 12P, Riffle, Tor, which are operated by public organizations and individuals.
What happens after the breach?
If your data is part of the data breach, your personal information has likely been compromised. This increases the risk of identity theft. The respective company should take up responsibility, accept their faults and inform the affected users. “Alleged Domino’s India hackers now created a public search engine. It is our right to know if our data is leaked. Ask Domino’s to inform affected users,” added Rajaharia.
How can it affect users?
According to Rajaharia, data breach leads to people spying on affected users based on their past locations. Email spamming is another way to harass individuals, along with unwanted calls and text messages. Hackers too can track past movement using the leaked GPS data available on the dark web.
What can affected users do?
Users can check if their details were part of the breach by entering their number or email at this link provided by Domino’s India. This should be opened in incognito mode.
Once you know your personal information is on the dark web, as an individual, your first and foremost steps must include changing your passwords on the affected site or service – in this case, Domino’s India. Establish secure passwords that cannot be easily targeted or tracked and do not share the passwords with anyone, just like one-time passwords (OTPs). Log out from all devices and take action accordingly. Further, strengthen your security by activating two-factor authentication.
Dominos’ stance
While most companies fail to alert the affected users, resulting in innocent people being cheated, Jubilant FoodWorks has admitted to the data breach. They released a statement claiming that all customers’ financial information was safe. “Jubilant FoodWorks experienced an information security incident recently. No data pertaining to the financial information of any person was accessed and the incident has not resulted in any operational or business impact.” They emphasized that they do not store any financial details or credit card data of their customers as per their policy and thus, no information has been compromised. A team of experts has been formed to look into the matter and investigate in order to take the necessary actions to contain the incident. Also Read how cryptocurrencies have become extremely volatile.
Past incidents
Indian companies and organizations have been increasingly facing such situations that stir the privacy issues of their users and beneficiaries. A couple of months ago, the Reserve Bank of India issued new guidelines stating that payment aggregators and gateways should not store the card details of customers online.
Mobile payment company Juspay, which works with multiple payment gateways, was affected by a data breach that led to over 10 crore users’ records being leaked. Similarly, online grocery supplier BigBasket, faced a data breach where personal details of around 2 crore users were leaked and put on sale for around Rs. 30 lakhs on the dark web. Air India experienced a massive security breach as well when the personal data of about 4.5 million passengers were leaked on the dark web, consisting of name, credit card details, contact information, air ticket details, passport information, date of birth, and so on. In late March, MobiKwik succumbed to a data breach that allegedly exposed the private information of nearly 100 million users, which was however denied by the company regardless of proof.