Blog

News about the data leak was shared on Twitter by Alon Gal, who claims to be the cofounder and CTO of cybercrime intelligence firm Hudson Rock

Gal found the hacker selling the database on the dark web for around two to eight bitcoins

The data allegedly contains customers’ names, phone numbers, email IDs, addresses and payment card details

A threat actor has claimed to have stolen data sized 13 TB from Domino’s India’s database, putting the personal information of 250 employees across functions, as well as 18 Cr order details in jeopardy. 

News about the data leak was shared on Twitter by Alon Gal, cofounder and CTO of cybercrime intelligence firm Hudson Rock. Gal found the database being sold on the dark web for around two to eight bitcoins. On the dark web marketplace, the hacker reportedly wrote that if Domino’s India wants to prevent the database from being sold, it would have to pay the hacker 50 bitcoins as ransom. 

The database includes customers’ personal details which they are required to provide to Domino’s India while placing an order. These include names, phone numbers, email IDs, addresses and payment card details. However, the hacker has denied sharing any sample of the stolen data with cybersecurity researchers, which means that claims about the stolen data, its size and contents are just allegations at this point in time. 

In a statement to the media, Domino’s India, while confirming that the company had detected a data breach some time back, denied that any financial information of users had been compromised. 

“The incident has not resulted in any operational or business impact. As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken the necessary actions to contain the incident,” the company’s spokesperson said. 

It is worth noting that in February, the Reserve Bank of India (RBI), alarmed by the state of data breaches affecting Indian startups and payments processors, issued new guidelines which stated that payment aggregators and gateways would not be allowed to store the card details of a customer online. This has meant that for making online payments, Indian customers have to feed their card details each time. The RBI’s decision came a few weeks after a data breach affecting payments processor Juspay led to over 10 Cr user records being leaked online.

According to screenshots of the leaked database shared by Gal on Twitter, the data stolen from Domino’s India’s database is from the period between 2015-21, although this remains unverified. The threat actor is also looking to build a search portal for the data, similar to the one built by Mobikwik hackers. 

Last week, Network18-owned finance portal Moneycontrol also suffered an alleged data breach, one that supposedly affected 7 lakh users. Days before, online discount broking platform Upstox suffered a data breach that allegedly affected 2.5 Mn users. And last month, fintech startup Mobikwik denied claims about a data breach impacting 100 Mn users. Data breaches that affected global tech giants Facebook and LinkedIn have also made the news in recent weeks. 

A report by IBM’s ‘Cost of a Data Breach Report 2020’ states that Indian companies witnessed an average $2 Mn total cost of a data breach in 2020, representing an increase of 9.4% from 2019.  A total of over 26,100 Indian websites were hacked last year as per the data recorded by the state-owned Indian Computer Emergency Response Team (CERT-In).