Data breach at Domino’s India leaks information of 180 million users

Close on the heels of Air India’s massive data breach, Domino’s India, has reported a massive data breach with over 13 terabytes (TB) in size, including information of its employees and customers. The data includes names, mobile numbers, and detailed addresses of around 180 million users of the 1,314 Domino’s pizza restaurants operated by Jubilant FoodWorks has been leaked on the dark web. Jubilant FoodWorks has confirmed the data leak but said that information about credit card and other financial details is safe.

The data breach, which includes customers’ names, email IDs, mobile numbers, and locations that have now been made public and are not just restricted to the dark web alone. The breach was first uncovered by Rajshekhar Rajaharia, a cyber-security researcher.

Mr Rajaharia explained to Moneylife that a cyber miscreant has even created a search engine for the database on dark web.

“Data of 18 crore orders of Domino’s India have become public. Hacker created a search engine on dark web. If you have ever ordered @dominos_india online, your data might be leaked. Data include name, email, mobile, and GPS location,” he says.

He told Moneylife, “The worst part of this alleged breach is that people are using this data to spy on people. Anybody can easily search any mobile number on the said link and can check a person’s past locations with date and time. This seems like a real threat to our privacy. The data can be also be misused for email spamming, unwanted calls and SMS messages”.

You can enter your e-mail address or phone number, and it will show you a response containing the linked email id, total number of orders, money spent in each order, time of order, and your precise location (latitude and longitude) with your general address.

Following this, the company released a statement saying, “Jubilant FoodWorks experienced an information security incident recently. No data pertaining to the financial information of any person was accessed, and the incident has not resulted in any operational or business impact.”

Adding to this, it said, “As a policy, we do not store financial details or credit card data of our customers. Thus, no such information has been compromised. Our team of experts is investigating the matter, and we have taken necessary actions to contain the incident.”

A few days back, Air India too had confirmed that it was the subject of a cyber-attack in which data such as credit cards, passports and phone numbers of its customers was compromised. The breach has, reportedly, affected around 45 lakh customers registered with the airline between 26 August 2011, and 3 February 2021.

What you must do for damage control post such incidents

If your data has been leaked, immediately change your password regardless of what was leaked in the data breach. It would be prudent that you change the password (if you are using the same password) on any other portal too so as to avoid any kind of potential risks in future.

In such cases, it is imperative to assume the worst and act accordingly. Get into the habit of having different passwords for different websites.

Monitor your bank and credit card statements very closely. Do not ignore bank SMS messages.

Customers who were registered on the affected systems of these organisations within the past year especially could be more vulnerable and are advised to change bank and card passwords or entirely replace debit or credit cards with new ones, among other things.

Since credit card information is also included in Air India’s data breach case, if you have been an Air India user or customer, you should ideally get the credit cards or debit cards replaced.

Let us not forget that in order to carry out international transactions (albeit  not all international transactions), one does not require a card verification value (CVV) code.

Besides, contrary to public perception, even the three-digit CVV code is not hack proof. Security experts tell us that an advanced computer can try out different permutations and combinations and crack it within minutes. If replacing a credit card or debit card is not possible for now, then at least block international transactions on cards via internet banking or bank app.

Alert your friends and share the information about the data breach as much as you can on social media so that everyone is aware. No misuse has been reported as of now but it is always better to be safe than sorry.

Use two-factor authentication wherever possible. All major services such as banking, email and e-commerce websites allow this. A two-factor authentication adds an extra layer of protection to your digital life.

You can also switch to Unified Payment Interface (UPI) to make payments which does not require you to share your card details on such platforms. You may even opt for virtual cards with a different number with limited funds offered by banks. This card can be used for online transactions.

Hackers can misuse your information to seek loans. Hence, it is advisable to check your credit report at least every quarter to see if any new loans have been issued.