After a hacker made 13TB data of nearly 18 crore orders of Domino's India with key details public on the Dark Web, cyber security researchers on Monday stressed on the need for organisations handling end-user data to invest more in cybersecurity solutions and practices that will enhance their security posture.
Independent cyber security researcher Rajshekhar Rajaria first reported that Domino's India has been hit by a hacker again, after Alon Gal who is CTO of cyber security firm Hudson Rock, claimed in April that credit card details of nearly 10 lakh people who purchased online on Domino's Pizza India were allegedly being sold for over Rs 4 crore on the Dark Web.
According to Rajaria, data of 18 crore orders from Domino's Pizza in India has now become public, that contains name, email, phone number and even the GPS location of the users.
According to him, the same person who earlier hacked financial services company MobiKwik has compromised Domino's India.
"The earlier hacker failed to receive ransom and sold the data to some unknown hacker, who has now posted the 13TB data of Domino's India on the Dark Web," Rajaria told IANS.
What the case is about
In an earlier statement, Jubilant Foodworks that owns the master franchise for Domino's Pizza in India, told IANS that the company experienced an information security incident recently.
"No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact," the spokesperson said.
"As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised".
As per cyber security researcher Rajshekhar Rajaharia, people who have access to a portal developed by the hacker are using it to spy on customers by checking their location along with order date and time.
"Data of 18 crore orders of Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include Name, Email, Mobile, GPS Location etc," Rajaharia tweeted.
When contacted, Jubilant FoodWorks, which owns Domino's, said the company had recently experienced a security incident but no financial details of customers have been breached, PTI said.
"Jubilant FoodWorks experienced an information security incident recently. No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact.
"As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident," the company spokesperson said.
Rajaharia said the hacker has created a search engine for the database which is being misused by people.
"The worst part of this alleged breach is that people are using this data to spy on people. Anybody can easily search any mobile number and can check a person's past locations with date and time. This seems like a real threat to our privacy," Rajaharia said.
According to Prakash Bell, Head of Customer Success and SE Lead, India and SAARC, Check Point Software Technologies, implementing technology solutions such as ZTNA, DLP, XDR and security posture management is key to ward off such incidents, IANS said.
"Complementing these with employee education around data handling, vigilance, tight security controls, processes and audits would help creating the desired culture," Bell said in a statement.
There have been a string of hacking incidents involving Indian firms in the recent past, including Bigbasket, BuyUcoin, JusPay, Upstox and others.
How to avoid data breach
Prakash Bell, Head of Customer Success and SE Lead, India & SAARC, Check Point Software Technologies outlined a few pointers on avoiding and handling such a data breach.
What organisation should do
1) Organisations handling end-user data should be investing more in cybersecurity solutions and practices that will enhance their security posture. Implementing technology solutions such as ZTNA, DLP, XDR and security posture management is key. Complementing these with employee education around data handling, vigilance, tight security controls, processes and audits would help creating the desired culture.
2) In case of a breach, organisations should be transparent, reach out to affected users directly and share the scope of the impact of the breach, what actions end users need to take to address the breach impact and what measures the organization has taken/is taking to address current and future incidents. Besides instilling confidence in their end customers for continued business engagement, it would also help restore the damaged trust.
What consumers should do
1) Users need to educate themselves with data privacy practices and engage with vendors with only the right amount of information necessary. Restrict certain services to specific numbers/email-IDs, and where possible, enforce parental controls on children’s accounts and devices.
2) It is important to use a mobile platform that emphasises privacy and data security – choose a brand/organization that does not monetise your data. Additional measures include installing AV/malware protection applications on your mobile devices as well as keeping your device OS and apps up-to-date to benefit from the latest security fixes.
3) When it comes to online accounts, use strong passwords with help from password managers, and enable two-factor authentication at every opportunity.
4) From an app hygiene standpoint, install only apps from official app stores. Users should evaluate and restrict access to their contacts, location-data, clipboard etc. – for all apps on their phone, especially social media apps that are the worst offenders - be very, very restrictive.
4) Apps need to have access only to data they need. Also, uninstall unused/unnecessary apps.
5) It is imperative, that everyone shares their knowledge with family and friends, to educate them around ‘online data hygiene’. Staying vigilant will keep everyone and their data safe.”
(With inputs from agencies)