Did you pay for your pizza with your personal data?

  • by

DOMINOS INDIA DATA BREACH.

Introduction

Pizza delivery service Dominos India is the latest victim of a massive data breach that exposed order details of 18 crore pizza orders made via the service. The data breach includes a data dump weighing 13TB of employee data files and customer details. The attackers who are responsible for the breach, also created a webpage on the dark web that pulls the data for any of the leaked order details simply by searching for a phone number or an email address. The data now appears to be publicly available and anyone can search for it easily.

What makes this breach unusual from others?

Dominos India brand owner Jubilant Foodworks experienced an information security breach on 24th March, 2021 wherein their systems were attacked by a hacker. After the incident, many Dominos customers found their data leaked and publicly available to anyone who has their mobile number or email address, allowing anyone to input a phone number or email address and find out the person’s other details, including residential addresses where the order got delivered, and how much they have spent on the pizza chain’s orders. The information was available via a darknet URL that the attacker had created, which could be easily accessed from any smartphone or computer. It no longer requires a browser like TOR or Onion.

The worst part of this breach is that this data is being used to spy on people. Anybody can easily search any mobile number and can check a person’s past locations with date and time, which seems like a real threat to an individual’s privacy. Domino’s uses PayTM as one of it’s payment gateway, which also got breached in the recent past. Domino’s hired an external global forensics agency to do an impact assessment and contain the breach. Meanwhile, the darknet page that made the leaked data publicly available has been taken down and can no longer be accessed. The company confirmed that no financial details like credit cards and CVVs were exposed in the data breach.

Implications of Data Breach

The ramifications of such a breach could be multifold. The first thing for companies to take charge when something happens, is to change their passwords to reset every account in their database rather than sending emails to consumers. This way, customers will be forced to change their passwords. The implication is that these individual customers can now be exploited. Not all consumers are that educated so it’s a big exposure. The Cyber Crime Cell of India was informed and the Free Software Movement of India said it would be taking the matter to the courts after it wrote a letter to CERT-IN seeking an investigation into the incident, but did not receive a response yet.

Proactively disclosing a data breach not only helps maintain trust and transparency amongst consumers, but also helps in reducing the cost incurred by such data breaches. The overall cost of a breach often depends on how it is disclosed. “While it may be tempting to try to quietly resolve any issues without the public knowing, it is much more effective if businesses are proactive about disclosing what has occurred. To reduce the chances of their losses increasing, organisations can take control of the situation and make it publicly known that a breach has happened,” Kaspersky said.  

Need for regulation

The Domino’s Pizza data breach is just the latest in a long list of companies that have had data breaches in recent times. Businesses who are a victim of a data breach today not only are responsible to protect their consumer’s data, but also prevent it from being misused by the cybercriminals as an aftermath of a data breach. Therefore, it is high time India gets its data protection law. There is a strong need for regulations on cybersecurity and compliance which needs to be put in place. Privacy alone is not enough. We need to have a regulator who will be regulating, auditing, and making sure that the security controls are in place. A mandated reporting of breaches should be necessitated and penalties must be levied. We need empowered regulators who can penalise people and debar them from doing business if need be. All public listed companies have an obligation to their shareholders. If there is a breach that can have a material impact on their shareholders, there should be regulations for them to report it to BSE and NSE.

Recommendations

Here’s a list Tsaaro recommends people, they find that they have been impacted by a data breach:

  1. Use different emails and passwords on different accounts. Regular password changes reduce the risk of running into unannounced data breaches.
  2. Mandatorily turn on two-factor authentication for all accounts. Apps such as Authy could be helpful.
  3. Have a secondary email address that doesn’t contain personal information that people can give out to companies or entities, and keep a primary email only for           trusted entities.
  4. Consider a credit freeze. This stops anyone from using your data for identity theft and borrowing in your name.
  5. Check your credit report to ensure you know if anyone is applying for debt using your details.
  6. Try to find out exactly what data might have been stolen. That will give you an idea of the severity of the situation. For instance, if tax details and other identity numbers (Aadhaar/ PAN) have been stolen, you’ll need to act fast to ensure your identity isn’t stolen. This is more serious than simply losing your credit card details.
  7. Don’t respond directly to requests from a company to give them personal data after a data breach; it could be a social engineering attack. Take the time to read the news, check the company’s website, or even phone their customer service line to check if the requests are legitimate.
  8. Stolen data can turn up on the dark web years after the original data breach. This could mean an identity theft attempt occurs long after you’ve forgotten the data     breach that compromised that account. Monitor your accounts for signs of any new activity.
  9. Close accounts you don’t use rather than leaving them dormant. That reduces your vulnerability to a security breach.
  10. When you’re accessing your accounts, make sure you’re using the secure HTTPS protocol and not just HTTP.

Conclusion

Organisations handling end-user data should be investing more in cybersecurity solutions and practices that will enhance their security posture. In today’s digitalised world, protecting end-customer information is vital and implementing technology solutions such as ZTNA, DLP, XDR and security posture management is key. Complementing these with employee education around data handling, vigilance, tight security controls, processes and audits would help create the desired culture of healthy cyber hygiene.