Dominos Pizza has become the latest victim of a hack attack for their French and Belgian sites, with the perpetrators demanding a ransom of €30,000 or they will expose their customers address (and their favourite toppings).
The group, who call themselves Rex Mundi, posted details of the hack online on 13 June before demanding money on Twitter.
“Earlier this week, we hacked our way into the servers of Domino’s Pizza France and Belgium, who happen to share the same vulnerable database,” wrote Rex Mundi. “And boy, did we find some juicy stuff in there!”
The hackers reported downloading “over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones.”
They claim these include “full names, addresses, phone numbers, email addresses, passwords and delivery instructions.”
“Oh, and their favorite [sic] pizza topping as well, because why not,” said Rex Mundi.
Rex Mundi are threatening to publish them if a EU30,000 (£23,892) ransom is not paid.
Domino’s France acknowledged the hack and recommended that users change their passwords, while the head of Domino’s Netherlands Andre ten Wolde told local newspaper De Standaard that “there are clear indications that something is broken on our server.”
A spokesperson for Domino’s said: “The data hacking is isolated to the Domino’s franchise in France and Belgium, and no customer credit card or financial information was compromised. Domino’s customers in the UK and Republic of Ireland are not affected by this incident. The security of customer information is very important to us. We regularly test our UK website for penetration as part of the ongoing rigorous checks and continual routine maintenance of our online operations.”
Commenting on the news that Dominos Pizza’s database was hacked, Sean Power, security operation manager from DDoS protection specialist DOSarrest, said: “Blackmail attacks are not new, although they are not typically advertised. Usually these attacks are not announced by the hacker, since a major motivating factor in a company’s decision to pay is to keep the intrusion secret.
“Companies have many reasons not to acquiesce to these blackmail demands, chiefly it makes you a target for further blackmail demands. Once word spreads within the hacker community that you are willing to pay you can be sure other hackers will come looking for any chance to extort further funds.
“The fact that this was a shared database is far less worrying than the fact is was vulnerable. Even though many of the comments on the page seem to indicate a lack of concern by customers, companies need to treat all user data with the utmost respect. Even favorite pizza toppings.”