Last month, data relating to over 18 crore Domino's India orders surfaced on the dark web; now, the same database has been made public by a hacker or hacking gang. The information has been posted on the dark web as a searchable server, enabling hackers to detect and map visitors to their previous location.
A threat actor in the matter was accused of stealing 13 TB of data from Domino's India last month, including the personal details of 250 employees from different divisions and customer information from 18 million orders.
According to security researcher Rajshekhar Rajaharia, this data has now been put up on a search engine. He went on to say that this contains information such as names, email addresses, phone numbers, GPS locations, and other information relevant to Domino's orders.
By comparing the phone number to the GPS location info, the data can be used to generate a map of a user's visited locations, according to a screenshot shared on Twitter. According to Rajaharia. “The worst thing of this supposed leak is that people are spying on people using this info. Anyone can conveniently look up any phone number to see where a person has been in the past, including the date and time. This seems to be a serious threat to our privacy."
Personal information given by customers when ordering through Domino's India's website or app is stored in the database. Names, phone numbers, email addresses, and credit card information are among them. The hacker, on the other hand, has denied sharing any samples of the stolen data with cybersecurity researchers, so reports about the stolen data, its scale, and contents are just that at this stage.
The data stolen from Domino's India's servers, according to screenshots of the leaked database posted by Gal on Twitter, is from the years 2015 to 21, though this remains unconfirmed. In response to last month's data breach claims, a Domino's India spokesperson told the company had recently discovered a "information security" incident, but that no financial information of users had been breached.
Hackers Target Indian Start-ups
According to IBM's "Cost of a Data Breach Survey 2020," Indian businesses experienced an estimated gross cost of a data breach of $2 million in 2020, up 9.4 percent from 2019. According to data compiled by the government-owned Indian Computer Emergency Response Team, over 26,100 Indian websites were hacked in 2020 as a result of the pandemic (CERT-In).
The Reserve Bank of India (RBI), alarmed by the state of data breaches involving Indian startups and payment processors, released new guidelines in (February 2021), stating that payment aggregators and gateways will not be able to store a customer's card information online. The decision comes just weeks after a data breach at payments company Juspay resulted in the internet exposure of over 10 million customer accounts.
Money Control, a Network18-owned finance portal, allegedly experienced a data leak, affecting 7 lakh users. Last month, Mobikwik, a fintech company, refuted reports of a data leak affecting 100 million users, amid evidence that the data belonged to Mobikwik users.
BigBasket suffered a data leak in November of last year, exposing the sensitive information of over 2 million people. The data was placed up for sale for about INR 30 lakh, and it was leaked online in (April 2021) this year in a similar fashion to the Domino's India database. Many people who were affected by the BigBasket data breach have now complained that their Flipkart accounts have been hacked.
No action has been taken against any of these websites for failure to secure customer information. In a hyper-connected system of overlapping consumers, these data breaches have a cascading impact across the whole network.