Domino's data breach: Details of 18 crore orders, 10 lakh credit cards compromised

In a massive data breach, 18 crore order details of popular pizza delivery chain Domino's India have been leaked and are now available on the dark web. The leaked data includes sensitive information like mobile number, name, e-mail, and GPS location of users.

Hackers breached Domino's India servers and have got access to the details of 18 crore orders and 10 lakh credit cards that were used to purchase on the company's application. The personal details of customers, over 13TB data, are now available for public access on the dark web.

The data breach was first flagged by cybersecurity researcher Rajshekhar Rajaharia.

"Again!! Data of 18 crore orders of Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered Dominos India online, your data might be leaked. Data include name, e-mail, mobile number, GPS location, etc, tweeted Rajaharia.

Again!! Data of 18 Crore orders of #Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include Name, Email, Mobile, GPS Location etc. #InfoSec #GDPR #DataLeak @fs0c131y pic.twitter.com/wIwL5ct6hX

— Rajshekhar Rajaharia (@rajaharia) May 21, 2021

According to a PTI report, Jubilant Foodworks that owns the master franchisee for Domino's Pizza in India has admitted to the data breach while adding that customers' financial information remains safe.

It is also being alleged that the hacker has got access to internal files on Domino’s India servers containing all data from 2015-2021.

The order details of the customers are now in the public domain. This is an infringement of their privacy. Besides, the leaked data is being used to spy on customers and send targeted messages. Hackers have also created a search engine on the dark web.

"The worst part of this alleged breach is that people are using this data to spy on people. Anybody can easily search any mobile number and can check a person's past locations with date and time. This seems like a real threat to our privacy," Rajaharia in another tweet.

The worst part of this alleged breach is that people are using this data to spy on people. Anybody can easily search any mobile number and can check a person's past locations with date and time. This seems like a real threat to our privacy. #InfoSec #GDPR #DataLeak pic.twitter.com/5G494xJSCf

— Rajshekhar Rajaharia (@rajaharia) May 22, 2021

Though Domino’s India claims that the financial details of customers are secure, experts have suggested Domino's customers frequently change their passwords.

Earlier in April, Alon Gal, CTO of security firm Hudson Rock, had said that a threat actor had claimed to have hacked Domino's India's database. He added, "The threat actor is looking for around $550,000 for the database and saying they have plans to build a search portal to enable querying the data."

The threat actor is looking for around $550,000 for the database and saying they have plans to build a search portal to enable querying the data. pic.twitter.com/o2UuA7LWXJ

— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021

The officials of the Jubilant FoodWorks have admitted to the data breach. "No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact," a company spokesperson said in a statement. As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised, added the statement, according to an IANS report.

The company has said that its team of experts is investigating the matter and that "we have taken necessary actions to contain the incident."