Hackers pressure DominoÂ’s Pizza
By Retail Technology | Monday June 16 2014
Hacker group ‘Rex Mundi’ demand €30,000 by 17 June or it will publish over 600,000 stolen French and Belgian customer records online
UPDATE - American pizza delivery giant Domino’s Pizza is in hot water after hackers named ‘Rex Mundi’ took to Twitter last week to demand €30,000 in return for 600,000 stolen French and Belgian customer records.
The group claimed to have retrieved 'customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not).”
Twitter threats
The hackers first announced the breach online, supporting the announcement through a now suspended Twitter account on June 13th. The group, which chose a latin hymn of humility linked to the Knights Templar, has since been taunting Domino’s about the speed and quality of its response:
“If you're a @dominos_pizzafr customer, u may want to know that we have offered Domino's not to publish your data in exchange for 30,000EUR,” said one Tweet dated 13 June, while another less than 24h ago boasted: “Fun fact: @dominos_pizzafr patched ONE vulnerability on their Belgian site, but left several other vulnerabilities in their code #fail”
Meanwhile, the Domino’s France Twitter account encouraged its customers to change their passwords with immediate effect in a series of tweets dated 13 June. “Domino’s Pizza uses a system that encrypts commercial data. However, the hackers we are the victims of are accomplished professionals and it’s likely they managed to decode the crypting system that contained the passwords.”
The tweets continued: “That’s why we are recommending you change your password as a security measure. We truly regret this situation and are taking this illegitimate access very seriously.”
Commenting on the data hacking of e-commerce information in France and Belgium, a spokesperson for Domino’s Pizza Group PLC said:
“The data hacking is isolated to the Domino’s franchise in France and Belgium, and no customer credit card or financial information was compromised. Domino’s customers in the UK and Republic of Ireland are not affected by this incident. The security of customer information is very important to us. We regularly test our UK website for penetration as part of the ongoing rigorous checks and continual routine maintenance of our online operations.”
Retailers must anticipate hacking
TK Keanini, CTO at security and network performance monitoring vendor Lancope, commented that if retailers have not been hit yet, now was the time to prepare with an incident response readiness plan.
“While retail has been in the news lately with a lot of data breaches, if you have a lot of personal data on people, the more people you have the more attractive you are to these criminals.”
“Dominos in particular needs to treat this event as an ongoing business problem and not as a one time event,” he continued. “They should provide leadership and expertise to all of their stores and deliver the operational visibility required to ensure early detection of this type of threat. While getting in again is likely, they must raise the cost to this adversary to hide and operate.”
This story was updated 17 June to include comment from Dominos’ Pizza.
