Domino’s Data Leak in India: Analysis
Domino’s, the pizza company, suffered a huge data leak in India, first reported in April 2021.
18 crore Domino’s order details were leaked culminating in 13 terrabytes of employee and customer data was made available online including name, phone number, home address, payment type, social login and lots more. However financial details were not leaked.
The Data Accessed in the Domino's Data Leak
13 terrabytes is no small number, to give some context, there were 180 million rows of searchable data that were available.
Again Big Data Leak! 20 Crore Order Details including 13 TB data of Domino's India alleged leaked from #DominosIndia Server. Data Includes mobile, email, name, home address, payment type and Social Login Tokens. It seems Financial data is not there. #infosec #GDPR @jackerhack pic.twitter.com/glOAFpQCD7— Rajshekhar Rajaharia (@rajaharia) April 19, 2021
In other words you could search in a search engine for a name or phone number and you could easily locate incredibly sensitive personal information.
Although it is not clear how the data was obtained, speculation points to a malicious insider or an external attack. There were also reports that some of the data had been sold on black market sites for as little as $0.50 per record.
Investigators noted that Domino’s servers were breached earlier in the month and it is likely that the same hacker was the one who was able to extract the data.
This incident raises serious concerns about the security of personal data and its handling in India.
Alleged #Dominos India 18 Crore Order's Data #SearchEngine is now listed & ranking on Google Search. Our privacy is now searchable in @Google. #Dominos should immediately alert it's affected users. #InfoSec #GDPR #DataLeak @troyhunt @fs0c131y @jackerhack @internetfreedom pic.twitter.com/uxbWxfsGgS— Rajshekhar Rajaharia (@rajaharia) May 25, 2021
Further Questions Raised About Financial Data in the Domino's Data Leak
Jubilant FoodWorks, the company that owns and operates Domino’s India, said in a statement that no personal financial data was accessed in the attack.
Some key quotes from the statement:
“Jubilant Foodworks experienced an information security incident on 24th March, 2021 wherein our systems were attacked by a hacker. We moved quickly to contain the breach and hired an external agency to do an impact assessment.”
“Domino’s, as a policy, does not store financial details of users such as complete credit card number, CVV, passwords etc. and therefore, no such information was compromised.”
Conversely the attacker threatened to release all personal financial information that was taken. However this never happened.
It remains unclear as to who is telling the truth though it feels like Jubilant FoodWorks were working extremely hard to cover up a PR disaster.
What Happened After the Domino's Data Leak?
Two months after the attack, in June 2021, the government informed the Delhi High Court that they had blocked and removed all of the hacked URLs identified by investigators.
This was after Jubilant FoodWorks had approached the Delhi high court and asked for direction from the Ministry of Electronics and Information Technology and the Department of Communications, Ministry of Communications in India.
Despite this, some data experts are saying that the damage has already been done. They believe that malicious hackers may have copies of this data and could choose to use it again at any time.
As such, it is critical that we take steps to protect our personal data and ensure that companies are held accountable for the safety of customer information. Calls for regulation are at an all time high, particularly in India.
Overall, the Domino’s data leak has raised serious concerns about the security of personal data in India.
Other posts and articles you may be interested in.