facebook rss twitter

Domino's Pizza has been hacked and is held to ransom for €30,000

by Mark Tyson on 16 June 2014, 13:00

Quick Link: HEXUS.net/qacfor

Add to My Vault: x

A group of hackers going by the name Rex Mundi has compromised the servers of Domino's Pizza, stealing over 600,000 customer records from its France and Belgium operations. The hack group threatens to publish the data if its demand for a payment of €30,000 (£23,900) is not met.

"Earlier this week, we hacked our way into the servers of Domino's Pizza France and Belgium, who happen to share the same vulnerable database," wrote Rex Mundi on 13th June. "And boy, did we find some juicy stuff in there!"

Credit card data and other financial data not stolen

The group of cyber criminals said that data such as customers' personal information, passwords, delivery instructions and even their favourite pizza toppings were downloaded, comprising "over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones."

With all this information held for ransom, Rex Mundi has given the pizza chain a deadline of 8pm CET (10pm GMT) today to pay up. If no payment is received it intends to unleash "the entirety of the data in [its] possession on the internet." On the hackers' Twitter page, they even advise French customers to speak to their lawyers, telling them that they have the right to sue Dominos.

Domino's France has recommended users change their passwords as soon as possible. However, the company's executive Andre ten Wold suggested that the ransom demand would not be paid, and that they have filed a complaint with a court in Paris, according to a Dutch newspaper (via the Telegraph). "There are clear indications that something is broken on our server. The information contained in them is protected," said Wold, whilst reassuring customers that "financial data, such as credit cards, has not been stolen."

The hacker group, on the other hand, seems to be playing up the tension between angry customers in its latest TV / movie-trailer style Tweet, in hope that Domino's will give in to its extortion demands.

*I was going to embed this Tweet but the Rex Mundi Twitter account has since been suspended.*

Previous hacking for ransom attempts by Rex Mundi include the publication of loan-applicant details from US payday loan company AmeriCash Advance in 2012, after the company refused to pay $20,000. It also breached Belgian hosting firm Alfa Hosting's system earlier this year and published the names of 12,000 of that company's customers.

HEXUS received an email from Kaspersky Lab's David Emm on the news within the last hour. Emm said that companies should at least secure both the gateway to the data and the data stored on their servers. However he thankfully noted that credit card details were not stolen in this case.

HEXUS Forums :: 15 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by crossy - Mon 16 Jun 2014 13:16
I think I must be missing something here - specifically why is this a serious issue? As far as I can see, the possibility of password reuse is the biggest problem - and that's easily fixed.

As to the rest, so they publish your name, address, and that you like the large “Pepperoni Passion” with BBQ Stuffed Crust? (Oops, just gave away my preference) Not exactly Heartbleed…

Hopefully les flics will catch them and I'd vote for a set of stocks in the town square.

Meanwhile, I'd hope Domino's IT department are busy getting their excrement together.
Posted by peterb - Mon 16 Jun 2014 13:21
“Earlier this week, we hacked our way into the servers of Domino's Pizza France and Belgium, who happen to share the same vulnerable database,” wrote Rex Mundi on 13th June. “And boy, did we find some juicy stuff in there!”

Probably the juiciest thing you would find in any chain pizza place! Why would you want to register an account for a take away pizza?

That aside, I suppose it is (yet another) wake up call to any business to ensure the security of its customer and corporate databases.
Posted by Morthawt - Mon 16 Jun 2014 13:31
Unfortunately this does not surprise me. I would bet things like this are going to get worse. There have been many infiltrations over the past 3 years or so and even big companies/organizations have been hacked. I think the key is training people to be safer with how they use the computers. I bet most of these “hacks” are spear fishing attacks where they send a malicious email to an employee who opens an attachment thinking it is from their boss and BOOM 2 weeks later we hear this company gets hacked and all the details about it.

I wish companies would really train their people better on protocols for such things. Technology has gotten quite advanced, it cannot be easy for someone to physically hack from outside to inside. That is why these “hackers” resort to social engineering techniques and NLP to “con” people into doing something that will compromise the security from the inside out.
Posted by Arthran - Mon 16 Jun 2014 13:54
I used to work in the IT department at Dominos UK. The data they would likely get from this would be purely names, addresses, contact numbers and possibly order history. The financial data is seperated completely. I cant speak for how the French team have things set up, but if its anything like the UK, its really not much more data than you can get from the bloody phone book…
Posted by kalniel - Mon 16 Jun 2014 13:55
peterb
Probably the juiciest thing you would find in any chain pizza place! Why would you want to register an account for a take away pizza?
While I'm not sure it's the case here, often to get a discount code for a meal you have to supply your details. That's bad enough, but if they can't then keep these details secure they should be wrapped on the knuckles.

That aside, I suppose it is (yet another) wake up call to any business to ensure the security of its customer and corporate databases.
Absolutely, or if you can't, don't take the details. Maybe instead of/as well as a fine these companies should be banned from taking customer details for non-operational purposes for a year if they can't keep them secure.

SEE NEWER »