On April 16, 2021, hackers had announced on an infamous hackers’ forum that they got access to the Domino’s India servers and downloaded 13 TB of data that contained employee and customer data. The threat actors also claimed that they got over one million credit cards’ information used to place orders on the application.
In the initial post on the forum, the hackers wrote, “We breached Domino’s India and got 13TB all internal files of 250 employees from IT, Legal, Finance, Marketing, Operations etc. We got all customers details, and 180M order details (name, ph number, email, delivery address, payment details) and 1M credit cards used to purchase on Dominos app. Internal files contain all files from 2015-2021 and lots of outlook mail archives. Breach – April 2021.”
When we further examined the thread, it was easier to create a timeline of the events.
On April 16, hackers announced that they breached Domino’s servers.
On April 17, they mentioned in the comments that they were looking for 10 BTC (Bitcoin) for the data. At that time, they had an offer of 2 BTC in hand. As they had mentioned that Domino’s might pay them 50 BTC, it was clear that they had contacted Jubilant Foodworks, the parent company of Domin’s. The hackers also said that they were planning to build a search engine like other hackers’ group did in the case of MobiKwik. Notably, the hackers were ready to pay $1000 to someone who could help them create the search engine.
On April 18, security experts published details of the breach on social media platforms.
NOT AGAIN ! A member of a #hacking forum has allegedly breached @dominos_india and got access to 13TB of internal files (from 2015-21), which he threatens to sell if a #ransom of 50 BTC is not paid 😨#india #databreach #infosys #gdpr#privacy— Sourajeet Majumder (@TechCrucio) April 17, 2021
On April 19, news agencies started to pick up the news, and several reported popped up on different news portals.
On April 19, Jubilant Foodworks issued a statement and said, “Jubilant Foodworks experienced an information security incident recently. No data pertaining to the financial information of any person was accessed, and the incident has not resulted in any operational or business impact. As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised.”
On April 21, the hackers announced that their search engine was ready, and they were uploading the data.
On May 20, they finally announced Dark Weblink to the search engine.
Experts’ opinion on the breach
Though Jubilant Foodworks did not seem to have taken any step to avert data getting in the hands of scammers, the said data has the potential to cause serious privacy concerns. The problem is that companies like Domino’s customers share several personal information that can potentially cause financial or even physical harm. Those who tend not to share their address with anyone are searchable only with the phone number.
Independent Security Researcher Sourajeet Majumder published a thread on Twitter explaining the breach. He said that he was able to see all the personal details on the search engine. He said, “On using the search portal made by the threat actor, I was able to find my phone number/email, all delivery addresses, delivery amount and order time & date.”
On using the search portal made by the threat actor, I was able to find my phone number/email, all delivery addresses, delivery amount and order time & date.— Sourajeet Majumder (@TechCrucio) May 21, 2021
Even though, the breach doesn’t include any payment details but the hacker promises that it will be made public soon.
When OpIndia talked to Sunny Nehra, Admin at Hacks And Security, about the Domino’s data breach, he said, “It has become such a common practice first to have flimsy security and then claim there is no privacy concern. If such companies do not start taking such breaches seriously, they will lose trust among the customers.”
Alon Gal, Co-Founder & CTO, Hudson Rock, had shared the information about the breach in April. He wrote, “Threat actor claiming to have hacked Domino’s India and stealing 13TB worth of data. Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards.”
The threat actor is looking for around $550,000 for the database and saying they have plans to build a search portal to enable querying the data. pic.twitter.com/o2UuA7LWXJ— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021
“Plenty of large scale Indian breaches lately, this is worrying,” he had added.
Plenty of large scale Indian breaches lately, this is worrying. 🇮🇳— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021
We have hidden the information of the hacker, dark weblink and other identification markers.