Pizza delivery service Dominos India is the latest victim of a massive data breach that exposed order details of 18 crore Pizza orders made via the service. The data breach, first spotted by Internet Security Researcher Rajshekhar Rajaharia (@rajaharia) includes 130TB of employee data files and customer details.
The attackers who are responsible for the breach, also created a webpage on the dark web that pulls the data for any of the leaked order details simply by searching for a phone number or an email address. The data now appears to be publicly available and anyone can search for it easily. It no longer requires a browser like Tor or Onion.
The worst part of this alleged breach is that people are using this data to spy on people. Anybody can easily search any mobile number and can check a person’s past locations with date and time. This seems like a real threat to our privacy. #InfoSec #GDPR #DataLeak pic.twitter.com/5G494xJSCf
— Rajshekhar Rajaharia (@rajaharia) May 22, 2021
Update on alleged @dominos_india Data Breach!!
It seems, Dominos is using PayTM as its Payment Gateway. 1 Million Credit Cards might not be there in leaked data. If cards are still there, It’s strange and part of the investigation. #InfoSec #GDPR #dataprotection @UnderTheBreach pic.twitter.com/J5oFek3Tqe
— Rajshekhar Rajaharia (@rajaharia) April 20, 2021
Indian Express verified that the leaked contents do match up for some of accounts. We were able to see order histories, address details, etc for at least three mobile numbers when searching on the database. The page itself has been viewed over 5,60,500 times as of writing this story and has a search count of over 3,05,09,200 searches.
Who is affected?
Any user who has ordered from Dominos India via a phone call using their phone number or email ID could have been affected by the leak. Users interested in finding out if their phone number or Email ID has been a part of the breach can head over to the link mentioned in the tweet above and enter their phone number to check for themselves.
However, note that while the servers for the link are currently working as of writing this story, they may go down soon to prevent any further spread of leaked information.
What data has been leaked?
The leaked information includes the details of some transactions which reveals the order delivery address, the date, the name, phone number and email ID of the customer, precise latitude and longitude coordinates of the address, total number of transactions and the total amount spent on transactions in Rupees.
What are security experts saying?
“Organisations handling end-user data should be investing more in cybersecurity solutions and practices that will enhance their security posture. In today’s digitalised world, protecting end-customer information is vital,” Prakash Bell, Head of Customer Success and SE Lead, India & SAARC, Check Point Software Technologies said on the leak.
“Implementing technology solutions such as ZTNA, DLP, XDR and security posture management is key. Complementing these with employee education around data handling, vigilance, tight security controls, processes and audits would help creating the desired culture,” he added.