Two months after customer data of Domino’s Pizza was breached and days after the hackers made the data publicly searchable, parent company Jubilant FoodWorks informed customers that it experienced an “information security incident” on March 24. Similar to the statement issued by the company earlier, the communication to customers says that no financial information was compromised. However, the information that was published by the hacker allows anyone to input a phone number or email address and find out the person’s other details, including addresses where they have ordered pizza earlier, and how much they have spent on the pizza chain’s orders.
After the link was available, it has been making the rounds on WhatsApp groups as well. In a few days, the page has had over eight lakh page views and over six crore searches. The company alerted its users after cybersecurity researcher Rajshekhar Rajaharia tweeted that the link now shows up on Google search. “Our privacy is now searchable in @Google,” he said. Despite this, Domino’s Pizza has not disclosed what kind of information was affected by the breach, and does not address it either.
Alon Gal, CTO of cybersecurity firm Hudson Rock, said in April that a threat actor hacked Domino's India database worth 13TB. Following this, Rajaharia said he first reported that Domino's India has been hit by a hacker in March to CERT-IN, the country’s nodal cybersecurity agency.
Alleged #Dominos India 18 Crore Order's Data #SearchEngine is now listed & ranking on Google Search. Our privacy is now searchable in @Google. #Dominos should immediately alert it's affected users. #InfoSec #GDPR #DataLeak @troyhunt @fs0c131y @jackerhack @internetfreedom pic.twitter.com/uxbWxfsGgS
— Rajshekhar Rajaharia (@rajaharia) May 25, 2021
The ramifications of such a breach could be multifold, experts say. “The implication is that these individual customers can now be exploited. Not all consumers are that educated so it's big exposure,” says Raja Ukil, senior vice president and global head of Enterprise Business at cybersecurity startup ColorTokens and former global head of cybersecurity and risk services at Wipro.
The Free Software Movement of India said it would be taking the matter to the courts after it wrote a letter to CERT-IN seeking an investigation into the incident, but did not receive a response. Gagan Jain, the CEO of CyberSafe Bengaluru and a cybersecurity expert, says that through an address, phone number and email address, a person can easily be located. “For example, if I get an email from one of these breaches, I can check where all you have an account right now. If you’re using the same password, I can log in everywhere,” he says.
Rajaharia had earlier said that the worst part of this breach was that people are using this data to spy on people. “Anybody can easily search any mobile number and can check a person's past locations with date and time. This seems like a real threat to our privacy,” Rajaharia earlier said.
Gagan adds that while most people only look at the financial aspect of a breach — and the layperson may even believe that they may not have much financial exposure — he says it goes beyond that and is a question of identity. Gagan cites instances of fake IDs, such as passports and Aadhaar cards, being created from data that is obtained from such breaches and sold on the darknet.
The Domino’s Pizza data breach is just the latest in a long list of companies that have had data breaches in recent times. While it keeps happening repeatedly and puts more and more people at risk, there are no consequences for the company itself. “Businesses who are a victim of a data breach today not only are responsible to protect their consumer's data, but also prevent it from being misused by the cybercriminals as an aftermath of a data breach,” says Dipesh Kaura, general manager, Kaspersky (South Asia).
Raja Ukil of ColorTokens says that it is high time India gets its data protection law. “There is a strong need for regulations on cybersecurity and compliance which needs to be put in place. It’s left to the companies to follow what they want and a lot of companies don’t follow a structure or methodology,” he says. He adds that in consumer-facing companies, customers are expected to give out a lot of information that is probably not required for the business other than to profile customers, but don’t let you sign up unless you provide that information.
“Privacy alone is not enough. You need to have a regulator who will be regulating, auditing, and making sure that the security controls are in place. That is the need of the hour,” he said, adding that mandated reporting of breaches is necessitated, and penalties must be levied. “We need empowered regulators who can penalise people and debar them from doing business if need be. All public listed companies have an obligation to their shareholders. If there is a breach that can have a material impact on their shareholders, there should be regulations for them to report it to BSE and NSE,” he adds.
Cybersecurity company Kaspersky says that proactively disclosing a data breach not only helps maintain trust and transparency amongst consumers, but also helps in reducing the cost incurred by such data breaches. Kaspersky added that according to its recent report, the overall cost of a breach often depends on how it is disclosed. “While it may be tempting to try to quietly resolve any issues without the public knowing, it is much more effective if businesses are proactive about disclosing what has occurred. To reduce the chances of their losses increasing, organisations can take control of the situation and make it publicly known that a breach has happened,” Kaspersky said.
The first thing for companies to take charge when something happens, Gagan says, is that rather than sending an email to consumers to change their passwords, to reset every account in their database. This way, he says, customers will have to change their passwords.
A lot of people use the same email address and passwords across multiple accounts, which means other accounts are at risk as well. Gagan suggests mandatorily turning on two-factor authentication for all accounts and recommends apps such as Authy. In addition, he says that people must have a secondary email address that doesn’t contain personal information that people can give out to companies or entities, and keep a primary email only for those they trust.
Here’s a list Kaspersky recommends people do if they find that they have been impacted by a data breach.
> If a breach could involve your financial information, notify any banks and financial institutions with which you have accounts.
> Change the passwords on all your accounts. If there are security questions and answers or PIN codes attached to the account, you should change these too. One feature of many publicly reported security breaches is that they occurred over a long period, and some were not reported until years after the breach. Regular password changes reduce the risk you run from unannounced data breaches. Use different passwords on different accounts so that other accounts are safe when one is breached.
> You might consider a credit freeze. This stops anyone from using your data for identity theft and borrowing in your name.
> Check your credit report to ensure you know if anyone is applying for debt using your details.
> Try to find out exactly what data might have been stolen. That will give you an idea of the severity of the situation. For instance, if tax details and other identity numbers (Aadhaar/ PAN) have been stolen, you'll need to act fast to ensure your identity isn't stolen. This is more serious than simply losing your credit card details.
> Don't respond directly to requests from a company to give them personal data after a data breach; it could be a social engineering attack. Take the time to read the news, check the company's website, or even phone their customer service line to check if the requests are legitimate.
> Stolen data can turn up on the dark web years after the original data breach. This could mean an identity theft attempt occurs long after you've forgotten the data breach that compromised that account. Monitor your accounts for signs of any new activity.
> Close accounts you don't use rather than leaving them dormant. That reduces your vulnerability to a security breach.
> Secure your phone. Use a screen lock and update your phone's software regularly. Don’t root or jailbreak your phone. Rooting a device gives hackers the opportunity to install their own software and to change the settings on your phone.
> When you're accessing your accounts, make sure you're using the secure HTTPS protocol and not just HTTP.