Domino’s Pizza is refusing to pay a ransom demand of €30,000 (£23,000) despite an attacker threatening to release the 600,000 customer details.
According to Sky news, the hacker known as “Rex Mundi” said the full details would be released today unless the firm paid them the fee. Those details include customers’ full names, addresses, phone numbers, email addresses, passwords and delivery instructions, as well as each customer’s favourite pizza topping.
However Domino’s Pizza executive Andre ten Wolde said the ransom demand would not be paid. He told the Standaard that it had contacted potentially affected customers with the advice, but said that the information contained is protected. “There are clear indications that something is broken on our server,” he said. He stressed that financial data such as credit cards, had not been stolen.
Mundi said that they were able to hack into the servers of Domino’s Pizza France and Belgium, who shared the same vulnerable database, and downloaded over 592,000 customer records (including passwords) from French customers, and over 58,000 records from Belgian users.
Steve Smith, managing director of Pentura, said: “It is concerning that the personal details of so many customers were seemingly left unencrypted and susceptible to this kind of attack. If claims are accurate and indeed 600,000 customer records have been compromised, that is a truly staggering amount of data that should have been better protected. The value of that data to criminals and fraudsters should not be underestimated nor should the potential damage that could be caused to individuals.
“People should also be very cautious about clicking on links in emails which claim to be from Domino’s, no matter how authentic they seem to be. There’s a very real risk that attackers will try and exploit this attack to send phishing emails to users, to try and harvest more sensitive data.”
David Emm senior security researcher at Kaspersky Lab, said: “Once again we have an example of how customer data, if not adequately secured, can fall into the wrong hands. While it’s important to try and keep out intruders, it’s equally important that organisations secure data that’s behind their perimeter defences so that, if those defences are breached, an attacker isn’t able to obtain confidential data that can be used to compromise the online identities of its customers.
“The fact that credit card details and other financial data weren’t stolen in this case is good, but the theft of personal information is bad news for customers too. This is especially true of passwords since, sadly, many people use the same passwords for many of (or all) their online accounts.”