The data breach of Domino’s India’s servers where 18 crore order details were leaked has now found its way into the public domain through a public search engine created by the hacker.

The public search engine that has been shared widely since Sunday only requires one to input a mobile number or email ID, revealing sensitive information such as the user’s name, address, order history along with the location where orders were placed to.

First reported in April, 18 crore order details including name, number, email, delivery address, payment details and 10 crore credit cards used to purchase on the Domino’s app have been breached.

While there have been several data breaches in the recent past, Cybersecurity experts say that the ramifications of such a breach are massive.

“Individual’s address and order history are also referred to as PII data (Personally Identifiable Information), therefore having your address leaked in combination with the mobile number can have serious implication on an individual’s privacy,” Akshay Garkel, Partner & Leader, Cyber at Grant Thornton says.

Akshay also added that this data can be used to spy on individuals past locations, identify individual spending habits, targeted marketing and spamming of emails, SMS & phone calls, online thugs/Cyber scammers can target people for frauds etc.

Another cybersecurity expert who didn’t want to be named said that with such information, anyone can easily trace locations of people, and this could lead to stalking, holding of ransom, blackmail, etc.

“Hackers can also use a combination of available personal information to cull out more sensitive data of a person such as accessing their PAN card, Aadhaar, etc, which could also have serious implications on one’s privacy,” he added.

While Jubilant FoodWorks, which runs Domino’s India, said in a statement that no financial information of any person was accessed, it is written on the public search engine that payment details will be released soon as well.

“The person who released this data has said he will release financial details in 24 hours, then it is up to the imagination of the hacker how he wants to use this info,” the expert added.

According to internet security researcher Rajshekhar Rajaharia who tweeted about the search engine being created on the dark web and about the public search engine claims that the data breach first happened in February 2021 and that he reported the breach to CERT-IN in March.

The data breach, however, came to light only in April when Alon Gal, Co-Founder & CTO of cybercrime intelligence firm Hudson Rock tweeted about the breach and that the hacker is looking for around $550,000 for the database with 13TB worth of data. He also said in his tweet on April 18 that the ‘threat actor’ said had plans to build a search portal to enable querying the data.

At the time, the hacker said that the breached data also included internal files of 250 employees from IT, legal, finance, marketing, operations, etc.

Can the data be removed?

Experts say that once the data has been breached, there is nothing one can do about it. While Rajaharia says that Domino’s should take action to ensure the search engine is taken down, experts say that once data is out there, it is nearly impossible to erase it, especially from the dark web.

“In this situation, you cannot do anything. You've transacted online with an element of trust. It is now on the company to negotiate with the hacker or go to cybercrime and get this data off air. Otherwise, the data is out there,” the expert quoted earlier said.

Experts are also of the opinion that Domino’s India should assess the impact and inform all affected users.

Rishikesh Kamat, Vice President – Products and Services, NTT Global Data Centers and Cloud Infrastructure, India says that informing users immediately should be of utmost importance since it will allow those impacted to then change their email passwords, disable location tracking and take other required steps in safeguarding their information.

However, neither Domino’s India, nor its parent company Jubilant have informed users about a possible data breach.

Jubilant said in a statement that the company experienced an information security incident recently. “No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact. As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident,” the company spokesperson added.

However, the company is yet to comment on the public search engine and its potential security implications.

Grant Thornton’s Akshay says that an independent investigation should be conducted by a CERT-In empanelled investigation specialist to identify the true extent of data breach and inform the impacted users to reduce the implications. “The outcome of the investigation would also reveal the possible root cause of the incident which should be taken as a learning for Dominos to avoid such incidents in future,” he adds.

Recourse for impacted customers

​For those impacted, he suggests taking steps such as changing passwords or creating new accounts if they still want to use the service, replacing their credit/debit cards with new ones from the bank, and enabling multi factor authentication on the application such as OTP.

However, since there is nothing one can do about data that is breached, NTT’s Kamat says users should always take precautions beforehand to ensure that if there is a data breach, minimal information is leaked.

“Be careful about what kind of passwords you use. Everyone should use a fast phrase that is at least 25-30 characters long. Such passwords are very difficult to crack. But don’t rely only on passwords for safety. Always use two-factor authentication wherever possible. And while registering on any website, only give information that is mandatory,” Kamat adds.

Preventing data breaches

Domino’s India’s data breach is only one of the many breaches reported in the recent past including that of Air India, Bigbasket, Mobikwik, among others.

NTT’s Kamat says that to avoid data breaches, a major mindset shift is required of the acceptance that it is only a question of when and not whether a company’s data could get breached.

There are also specialised firms that companies can hire that used specialised tools to scour the dark web for potential attacks, signs of breaches, etc.

“Hacks don’t within a minute, it spans weeks and months. There is enough opportunity for a company to trace and find intrusion in advance,” Kamat adds.

(Edited by : Abhishek Jha)

First Published:May 24, 2021 7:24 PM IST