Domino's won't pay ransom on 600,000 record hack

Details of 600,000 French and Belgian customers to be released tonight if ransom not paid today say hackers.

Domino's won't pay ransom on 600,000 record hack
Domino's won't pay ransom on 600,000 record hack

Domino's Pizza in France and Belgium have had their servers hacked, with more than 600,000 customer records stolen by hacker group Rex Mundi which is demanding a €30,000 (£24,000) ransom or it says it will publish the details on the internet at 8pm CET (7pm BST) tonight.

In a message posted to an online clipboard Rex Mundi announced, “We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 from Belgian ones,” adding: “We used the contact forms on their websites to let them know of this vulnerability and to offer them not to release this data in exchange for 30,000 Euros….both of their websites are still up and vulnerable.” Sample data from the French website was published with the notification, including passwords, email addresses, home addresses and phone numbers – as well as customers' favourite toppings.

Domino's is reportedly refusing to pay the ransom, with the head of Domino's Netherlands Andre Ten Wolde telling local newspaper De Standaard that the company will not be paying the ransom and assuring customers that no financial information is included in the stolen data. Meanwhile Domino's France  recommended that users change their passwords.

In response, yesterday the group tweeted messages seeking to put pressure on the company,  saying:

@dominos_pizzafrcustomer, u may want to know that we have offered Domino's not to publish your data in exchange for 30,000EUR.

“PSA: If @dominos_pizzafr doesn't pay us tomorrow and we publish your data, u have the right to sue them. Speak to yr lawyer!

—     Rex Mundi (@RexMundi_Anon) June 15, 2014

Bob Tarzey, an analyst and director IT business and analysis house Quocirca told SCMagazineUK.com: “Not giving in to ransom is the right thing as, once you start doing it you are encouraging others to do so.  Businesses need to take a collective stand, working with government and industry bodies.”

He adds that the level of culpability by Dominos will be determined by the regulators who will take a view on the level of security in place, its implementation and security practices, and the detailed nature of the breach.

In an email to SC George Anderson, director at Webroot, also supported the approach of not giving in to ransom, saying, “It is reassuring to see that companies that find themselves targeted by hackers looking to make a quick buck are refusing to pay up. After all, when it comes to data theft, there is no guarantee the hackers wouldn't release the data, even if ransom was paid, as they may equally accept the money and then try to sell the data on illegal forums, in hope of doubling their profits.

“This is slightly different to what we saw last week, when Feedly and Evernote were targeted by DDoS extortion attacks. Usually, organisations that give in and pay are spared being DDoSed – but only because following through with a DDoS attack requires slightly more effort on the hackers' side, than publishing the data that has already been downloaded.

“However, companies that fall victim to money extortion attacks should under no circumstances agree to play by hackers' terms. Instead, organisations that hold customer data should ensure they maintain a structured, multi-layered approach to security spanning data encryption through to security software that is updated and reviewed on a regular basis, to limit their chances of becoming an easy extortion target.”

Jason Hart, VP Cloud Solutions at SafeNet also encouraged better use of encryption in an email to journalists, saying: “The latest breach continues to raise public awareness of the need for encryption – not just of financial data, but also wider customer information. 

“The fact that financial information was not compromised minimises the severity of the breach. But given the increasing number of data breaches we're seeing, it's clear that companies need to start thinking about encrypting more than just financial data. If not they run the risk of losing customers to those competitors that do.

According to SafeNet's own Breach Level Index, which classifies the severity of a breach, the Domino's breach is given a severity rating of 7.7, making it a ‘severe' data breach.”

David Emm senior security researcher at Kaspersky Lab, agreed that data security needs to be given a higher priority in an email to SC saying: While it's important to try and keep out intruders, it's equally important that organisations secure data that's behind their perimeter defences so that, if those defences are breached, an attacker isn't able to obtain confidential data that can be used to compromise the online identities of its customers.  The fact that credit card details and other financial data weren't stolen in this case is good, but the theft of personal information is bad news for customers too.  This is especially true of passwords since, sadly, many people use the same passwords for many of (or all) their online accounts.”

Steve Smith, MD of data security firm Pentura was also concerned that the personal details of so many customers were seemingly left unencrypted and susceptible to this kind of attack, saying: “If claims are accurate and indeed 600,000 customer records have been compromised that is a truly staggering amount of data that should have been better protected.  The value of that data to criminals and fraudsters should not be underestimated nor should the potential damage that could be caused to individuals.”

Tarzey questioned whether either encryption or password security were necessarily a factor every time there is a breach, commenting: “Encryption isn't the be all and end all – depending how the data has been accessed.  Similarly, the instruction to change passwords should have a caveat, depending on the practice you use: not everyone uses the same password for everything – and if your financial details are not included, a low level access such as a social networking log-in could be appropriate for ordering pizza.  There are other solutions.”

Tarzey also pointed out that the data gathered was only the first stage of any exploitation and would then need to be used to gather more data to commit a fraud.  Smith also addressed this aspect, commenting: “People should also be very cautious about clicking on links in emails which claim to be from Domino's, no matter how authentic they seem to be.  There's a very real risk that attackers will try and exploit this attack to send phishing emails to users, to try and harvest more sensitive data.”

Sign up to our newsletters