A threat actor is claiming to have stolen the personal data of over a million customers of Domino’s Pizza.
In an advert placed on the dark web, the alleged hacker says that they are selling 13 terabytes of data that they claim was stolen from the Indian branch of the American multinational pizza restaurant.
The illicit advertisement was discovered by Alon Gal, the co-founder and chief technology officer of Israel-based cybercrime intelligence firm Hudson Rock. Gal posted news of the alleged hack on social media on April 18.
In his post, the cybersecurity specialist said that the data appeared to include the details of as many as 180 million Domino’s orders. Among the allegedly leaked information was sensitive customer data, including phone numbers, addresses, email addresses, and the details of over one million credit cards.
Gal said that dark web users were being offered the opportunity to purchase the data for $550,000.
To enable the data to be selectively picked through, the threat actor said that they would be building a search portal.
A spokesperson for Domino’s Pizza in India said that Jubilant FoodWorks Limited, which holds the master franchise for Domino’s Pizza in India, Nepal, Sri Lanka, and Bangladesh, had experienced an information security incident recently.
“No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact,” said the spokesperson.
They added that customers’ financial data was not vulnerable to hacking attacks because of the company’s data storage practices.
“As a policy, we do not store financial details or credit card data of our customers, thus, no such information has been compromised,” said the spokesperson.
They added: “Our team of experts is investigating the matter and we have taken necessary actions to contain the incident.”
Cybersecurity researcher Rajshekhar Rajaharia said that he alerted the Indian government’s Computer Emergency Response Team (CERT-In) on March 5 that data belonging Domino’s may have been exposed on the dark web since February.
On Twitter, Rajaharia said that the threat actor claiming to have hacked the pizza restaurant may be the same person who allegedly hacked India’s largest independent mobile payments network, MobiKwik, in February.