What seems like quite a happening year for Global Cyber Security Incidents, affecting people and business operations worldwide, Dominos India’s Data Breach, which can potentially affect 18 Crore People, became just another headline which will be swept off and forgotten like every other incident. This blog will take one through the entire incident and what to do if one is affected.
What exactly happened?
On April 18th 2021, an Individual named Alon Gal revealed that a threat actor claimed to have stolen about 13 Terabytes of Domino’s India data which contained Names, Phone Numbers, Emails, Addresses payment details etc. The incident was an attempt to extort money from Dominos( around 50 BTC) in exchange for getting the data. The actor had also shown his intention of creating a public platform that allows the users to enter in queries and search through the said data. Domino’s India also acknowledged this incident however also stated that no Financial Data has been leaked as it is their policy that they don’t collect such information.
On May 21st, it is revealed that the plans of the threat actor allegedly became true and People could now easily access the said Data by following a URL that was leading the people on the Dark Web. Leaving the questions of uninformed individual potentially visiting the Darkweb without any kind of VPN or Proxy Browsers aside, the Data which was available to the individuals included the number of orders, GPS coordinates and addresses of their homes and places one has received deliveries from, the entire amount of money spent on Dominos, names, phone numbers and email addresses. This was far more astonishing than the news reports released previously as such incidents usually die out because the matter is either settled, just like in did Colonial Pipelines or the Hackers just don’t apply more time and effort to build something so easily accessible (it was even available on google searches at one point) and allegedly follow up on their threat.
What can happen now?
One would think that after the Colonial Pipeline Data Breach and Air India Data Breach, organisations or authorities would take the situation seriously to raise awareness or take actions against the people responsible for such incidents, but instead, the people on the Internet were able to access how much Pizza their friend ate with absolutely no restraint whatsoever. The previous statement or the information, which was leaked online would seem bizarre, insignificant and forgetful to some people but for someone with ill intentions at heart and a slight practise of social engineering this slightest window for access to such ability was a goldmine of opportunity. It would be far easier for someone to create targeted phishing links and send to people ordering the food in quite frequently or who are frequent customers of that popular Food Chain. Considering the Frequency of promotional messages one receives after giving the order or even later, it won’t be much harder for Certain people to dupe the affected individuals from the leak, in the near future, into collecting any kind of information they want by simply masking the Dominos Website step by step, by laying the traps of discounts and coupon codes. Therefore one needs to be careful and wary of any kind of messages and links they might receive on their Emails and Phone numbers, which they shared with Domino’s
While researching for this blog, another Article By Reuters popped up which highlighted that a similar incident happened with Domino’s Belgium and France where Customer names, delivery addresses, phone numbers, email addresses and passwords of about 6,00,000 customers were taken from a server. There were similar threats of releasing the data to the public in exchange for a Ransom. After learning about the incident and the ones in recent times which have happened to the E-commerce platforms, Banks, Insurance Providers and Social Media Platforms one can’t help but wonder that why do Mistakes have to repeat themselves on such a grand scale and why can’t learn from them. With an absence of a mechanism bringing in accountability for protecting Data Privacy this incident will also go unchecked, even if the company claims that they have employed an international investigator to do an impact assessment. Even if the Personal Data Protection Bill, 2019 does get passed in the parliament in coming sessions, it can’t act retrospectively to hold people Accountable and the potential damage to 18 crore people will become just another footnote in the history of India’s Regime in getting a Data Protection Mechanism.
In the meantime, one can try to discontinue the phone numbers and Email addresses that were revealed, and make a habit to have their mobile numbers and email addresses to be provided for promotional purposes different from their main ones and also invest in Consumer-based Cyber Insurance Policies.