Rex Mundi, a self described hacktivist group has claimed to have breached the network server of Domino’s Pizza in France and Belgium, stealing sensitive customer data for more than 650,000 of Domino’s customers; specifically 592,000 French and 58,000 Belgium customers’ data.
The cyber criminals posted a statement on a text- sharing forum called Pastebin in which the Rex Mundi cyber criminals claim to have been able to download Domino’s customer’s names, delivery addresses, phone numbers, email addresses and passwords and demanding a ransom. The following is taken from Rex Mundi’s Pastebin posting:
We immediately sent various emails to both Domino’s Pizza France and Belgium. We also used the contact forms on their websites to let them know of this vulnerability and to offer them not to release this data in exchange for 30,000 Euros.
So far, Domino’s Pizza has not replied to our demands. We would also like to point out that both of their websites are still up and vulnerable.
Domino’s Pizza has until Monday at 8PM CET to pay us. If they do not do so, we will post the entirety of the data in our possession on the Internet.
As proof of the cyber heist’s validity Rex Mundi published the names, addresses, phone numbers, email addresses and passwords of three Domino’s France customers and three Domino’s Belgium customers. The hackers also announced its attack of Domino’s on Twitter and instructed the affected customers to sue Domino’s for failing to pay the ransom to protect their customer data if Domino’s did not meet their demands.
Newspaper accounts of the cyber attack have reported that Domino’s spokesperson Andre ten Wolde had stated that the company had contacted all of its customers that may have been affected by the breach, and confirmed that Domino’s has no intention of paying Rex Mundi’s ransom demands. In an emailed statement Wolde said,
The data hacking is isolated to the Domino’s franchise in France and Belgium, and no customer credit card or financial information was compromised. Domino’s customers in the UK and Republic of Ireland are not affected by this incident. The security of customer information is very important to us. We regularly test our UK website for penetration as part of the ongoing rigorous checks and continual routine maintenance of our online operations.
Although there have been no indications from Domino’s that the cyber breach included customer payment information, company spokesman Andre ten Wolde said that the breach was considered very serious and carried out by sophisticated cyber criminals, and admitted that even though Domino’s uses encryption the level of criminal hacking experience Rex Mundi have make it highly likely that the passwords would be cracked.
In a statement from Domino’s provided to Information Security Media Group the company said, “No credit card or bank information relating to any of our clients has been affected by this hacking since the technology platform that was affected does not accept credit card payments, and Domino’s Pizza’s database does not save this type of information.”
A cyber breach of customer data will often be used to perpetrate phishing scams in which the cyber thieves will send official looking emails claiming to be from Domino’s with the intent of extracting more sensitive information from the Domino’s customers who were affected by the breach.
Domino’s customers who use or have used the online delivery service should change their password and make certain they have not used the same password for other sites. Additionally, people should not click on any links in emails that appear to be from Domino’s, instead go directly to Domino’s official website or telephone them directly to inquire about any emails you may have received.
Domino’s has filed a complaint with Paris’s director of public prosecutions and is working in conjunction with law enforcement officials, as well as third party cyber security experts to make a thorough investigation into the breach.
Additional Resources About This Breach:
http://www.databreachtoday.com/ransom-sought-in-dominos-pizza-breach-a-6957
http://www.welivesecurity.com/2014/06/16/dominos-pizza-hacked/
http://www.theguardian.com/technology/2014/jun/16/dominos-pizza-ransom-hack-data
https://nakedsecurity.sophos.com/2014/06/16/dominos-pizza-hacked-customer-database-held-to-ransom/
http://www.infosecurity-magazine.com/news/dominos-pizza-customers-exposed/