Data is worth 13 terabytes and also includes 180 million orders with phone nos, emails, addresses, and payment details.
Domino's India data that included sensitive customer information such as their names, phone numbers, and credit card details has allegedly been breached and put on sale on the dark web.
According to tweets by Israel-based Co-Founder and Chief Technology Officer of cybercrime intelligence firm Hudson Rock, Alon Gal, the data is worth 13 terabytes (TB).
He tweeted on Sunday that the data includes as many as 180 million order details, including 1 million credit card details.
The data, said Gal, was up for sale on the dark web.
The threat actor, he said, was asking for $550,000 for the data.
The threat actor also had plans to build a search portal to enable data search, he added.
A company spokesperson for Domino’s India said, "Jubilant FoodWorks experienced an information security incident recently.
"No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact.
"As a policy, we do not store financial details or credit card data of our customers, thus, no such information has been compromised.
"Our team of experts is investigating the matter and we have taken necessary actions to contain the incident.”
Jubilant FoodWorks is the parent firm of Domino’s India.
Rajshekhar Rajaharia, the cybersecurity researcher who first alerted users about a big data leak at payments firm MobiKwik last month, said he had alerted India's cyber incident arm of the government Computer Emergency Response Team (CERT-In) about the the Domino’s data leak in March.
“Again big data leak! 200 million order details, including 13 TB data of Domino's India, allegedly leaked from Domino’s India server.
"The data Includes mobile numbers, email IDs, names, home address, payment types, and social login tokens. It seems the financial data is not there,” tweeted Rajaharia on Monday.
He further said that the Domino's data was earlier claimed to be in the possession of the same hacker who had accessed the MobiKwik data.
"It seems the same hacker who allegedly hacked #MobiKwik had access to Domino's from February. I had alerted CERT-In on March 5.
"Later, the first hacker sold server access to some other reseller. Now they are planning to create another search engine," he added.
“Domino’s India joins a string of hacking incidents involving Indian firms in the recent past, including BigBasket, BuyUcoin, JusPay, Upstox and others.
"There needs to be an increased focus on cybersecurity.
"Based on our research, on average, an organisation in India has been attacked 1,681 times a week in the past six months.
"This is 2.5x higher than the global average of 667 attacks internationally," said Sundar N Balasubramanian, managing director-India and Saarc, Check Point Software Technologies.
The alleged breach at Domino's once again highlights the lack of legal and operational remedies available to Indians in case their data is leaked online.
India does not have a specific legislation dealing with user data breach cases or penal actions relating to the same as yet.
The Personal Data Protection Bill, which is proposed to deal with such cases of data breaches, has been pending in the Lok Sabha since 2019.
"Customers need to be made aware of the breach and provide means to protect against future misuse of their personal and credit card data.
"Organisations in India have to be made liable for such breaches with enough financial implication, making data security a top priority in every enterprise," said Sonit Jain, chief executive officer of cybersecurity firm GajShield Infotech.
The alleged data breach at MobiKwik allegedly affected the data of 3.5 million of its users, exposing know-your-customer documents, such as addresses, phone numbers, Aadhaar numbers, permanent account numbers and so on.
The size of the data was reported to be 8.2 TB. MobiKwik denied the breach.
Earlier this month, Facebook and LinkedIn also saw data leaks of millions of users, including the data of Indian users.
While both admitted that customer data had been leaked, both said it wasn’t hacked from their systems, but had been scrapped.
This means using an application to extract valuable information from a website.
Photograph: Anindito Mukherjee/Reuters