Domino’s Pizza held to ransom by hackers over customer data

Pay up or we expose personal details, including their favourite toppings, of 600,000 Belgian and French clients, cyberhackers tell Domino's

PUBLISHED : Tuesday, 17 June, 2014, 9:49pm
UPDATED : Wednesday, 18 June, 2014, 1:41am


Hackers have demanded a €30,000 (HK$315,000) ransom from Domino's Pizza after stealing personal data on more than 600,000 of its French and Belgian customers.

The data was stolen during a break-in last week, acknowledged by Domino's France, which saw 592,000 French and 58,000 Belgian customer records exposed.

A posting by the hackers on text-hosting site Pastebin claims the stolen data includes customers' full names, addresses, phone numbers, e-mail addresses, passwords, delivery instructions and even favourite pizza toppings.

"Domino's Pizza uses an encryption system for data. However, we suffered a hack by seasoned professionals and it is likely that they could decode the encryption system including passwords," the official Twitter account for Domino's France admitted.

"This is why we recommend that you change your password for security reasons. We strongly regret this situation and take illegal access very seriously."

The hackers, a group calling themselves Rex Mundi, posted a sample of the stolen user data along with a demand for €30,000 to not publish the full set.

Domino's Netherlands spokesman Andre ten Wolde said the company would not be paying the ransom and that financial data had not been stolen.

Domino's Pizza Enterprises holds the "master franchise" for Domino's Pizza in Australia, New Zealand, France, Belgium, the Netherlands and Monaco.

It is unknown whether user data from Australia, New Zealand, the Netherlands and Monaco was also compromised.

"Once again we have an example of how customer data, if not adequately secured, can fall into the wrong hands," said David Emm, senior researcher at Kaspersky Lab. "The fact that credit card details and other financial data weren't stolen in this case is good, but the theft of personal information is bad news for customers too."

The Domino's break-in is the latest attempt by Rex Mundi to extort money from global companies by stealing user data. In 2012, the group stole and published online loan-applicant details from thousands of users from US payday loan company AmeriCash Advance.

Belgian internet hosting company Alfa Hosting became another of Rex Mundi's victims this year, leading to the names of 12,000 customers being published online.

"Cybercriminals are after the money and will follow the path of least resistance to get to it. Usually this means stealing personal data which is often unencrypted and selling it on the black market, or in this case using it for cyber blackmail,'' Jason Hart, of Cloud Solutions at SafeNet, said.

Feedly, Evernote and many other sites and online services have been targets for extortion, with hackers demanding money to avoid being taken offline by distributed denial of service (DDoS) attacks, which overload the servers of a website or service, denying users access to it.

"This is slightly different to what we saw last week, when Feedly and Evernote were targeted by DDoS extortion attacks," said George Anderson, director of security firm Webroot.

"Usually, organisations that give in and pay are spared being DDoSed - but only because following through with a DDoS attack requires slightly more effort on the hackers' side than publishing the data that has already been downloaded.

"Companies that fall victim to money extortion attacks should under no circumstances agree to play by hackers' terms."