Dominos India, Air India data leaks put enterprise security protocols under the spotlight again

Details of 18 crore orders of fast-food chain Dominos have been made available in the public domain via a hacker-made search engine, months after the data was leaked on the dark web, according to an allegation by cybersecurity researcher Rajshekhar Rajaharia, who took to social platform Twitter to raise the issue. 

Rajaharia, in multiple tweets, said that an Indian hacker had allegedly created a public search engine, through which individuals could check whether or not their data had been leaked. 

“Not a single company alerting its affected users. As a result, innocent people are being cheated. It's our right to know if our data is leaked,” tweeted Rajaharia last week. 

Email queries to to Jubilant Food Works, which owns Dominos India, did not elicit responses at press time.  

Everyday new data breach is coming. Not a single company alerting its affected users. As a result innocent people are being cheated. It's our right to know if our data is leaked, so that we can be aware of future cyber threats.#InfoSec #GDPR #Privacy #CyberCrime #dataprotection

— Rajshekhar Rajaharia (@rajaharia) May 23, 2021

The cybersecurity researcher said the information leaked included names, email addresses, mobile numbers and GPS coordinates and could lead to instances of spying, unwanted calls and SMS, tracking past movements and spamming.  

On April 18th, Alon Gal, co-founder and CTO of cybercrime intelligence firm Hudson Rock, said in a tweet that over 13 terabytes of Dominos India data, including 10 lakh credit card details had been stolen. 

Threat actor claiming to have hacked Domino's India (@dominos) and stealing 13TB worth of data.

Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards. pic.twitter.com/1yefKim24A

— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021

Talking about the breach, Prakash Bell, head of customer success and SE lead, India & SAARC, at cybersecurity firm Check Point said “Implementing technology solutions such as ZTNA, DLP, XDR and security posture management is key. Complementing these with employee education around data handling and vigilance would help creating the desired culture.” 

Bell added that organisations need to be transparent and reach out to affected users directly and also educate them on the next steps to be taken. 

In a separate incident, on May 19, state owned ailine Air India disclosed that the personal data of about 4.5 million passengers has been compromised owing to a March 4 leak at passenger service system provider SITA. 

The disclosure came 76 days after SITA reported a massive data breach. The leaked data included credit card details, passport information, contact details, ticket details and others, according to Air India.

Air India, which pegged the data as belonging to passengers who travelled between August 201 and February 2021, urged travellers to change their passwords “wherever applicable” and stressed that the CVV/CVC details of the cards were not collected by SITA.

“Organizations should share the scope of the impact of the breach and what measures the organization has taken/is taking to address current and future incidents. It would help restore the damaged trust,” Check Point’s Bell said in a statement.