Domino's extortion breach highlights rise in ransom-based attacks
A hacker group says it will release stolen customer data if Domino's does not pay more than $40,000.
A hacker group known as Rex Mundi threatened to release a list of information on more than 650,000 Domino's customers in France and Belgium if the pizza company did not pay 30,000 Euros – more than $40,000 – by 2 p.m. EST on Monday.
As of Monday afternoon, a list did not appear to be released, and the Rex Mundi Twitter account originally used to post about the incident had been suspended.
“The incident is isolated to the independent franchise markets of France and Belgium,” Tim McIntyre, vice president of communications with Domino's, said in a Monday statement emailed to SCMagazine.com. “Neither we nor the franchise in France will be responding to their demands.”
According to a June 13 Google cache of a letter purportedly written by members of Rex Mundi, the crew hacked into the servers of Domino's Pizza France and Belgium last week by exploiting a vulnerability, which enabled them to steal data on more than 592,000 French customers and more than 58,000 Belgian patrons.
That information includes names, addresses, phone numbers, email addresses, passwords and delivery instructions, as well as favorite pizza toppings, according to the letter. McIntyre said that no payment card data or other financial information was compromised.
“[Their] system is a bit outdated and does not accept credit card orders,” McIntyre said. “Plans were already in place to have the system roll over to the platform we use in the U.S. This does not affect any market outside of France and Belgium. The site has been secured.”
Rex Mundi posted a few French and Belgian samples along with the letter, but only time will tell if the hacker group can and will make good on its promise to release the data. Regardless, the incident highlights a rise in the number of ransom-based attacks – which include extortion through distributed denial-of-service, as well as the use of ransomware.
“All you need to be a victim is to have money, and to have a complex infrastructure [that] you don't really understand,” Mike Lloyd, CTO at RedSeal Networks, told SCMagazine.com in a Monday email. “Given that combination, the bad guys will exploit your ability to defend yourself.”
Factoring in security from day one helps prevent the threat, Jean Taggart, senior security researcher at Malwarebytes, told SCMagazine.com in a Monday email, adding that while databases are always targets, attackers may move along if the information is encrypted and difficult to reconstruct.
As far as ransoms are concerned, Taggart said paying up is never ideal.
“By doing so you set a precedent,” Taggart said. “This will simply open the flood gates for further attacks, as the likelihood of payment has been proven. That being said, there are cases where the organization does not have a choice, and even a possible worst case scenario where the business would cease existing should its data not be returned."