Hackers attempt to take a slice of Domino’s, order delayed

16 Jun 2014

Hackers who claim to have hacked into the servers of pizza chain Domino’s in France and Belgium and who demanded a €30,000 ransom for the return of customer records have had their demands refused so far.

The hackers accessed customer names, addresses, phone numbers, email addresses, passwords and delivery instructions – not to mention favourite pizza toppings.

Domino’s says that the hacker collective – known as Rex Mundi – failed in its attempts to get their hands on credit card numbers.

The hackers have issued an ultimatum that unless the €30,000 ransom is paid by 8pm (CET) tonight they will post all the customer details onto the internet.

It is understood that the hack emerged on 10 June but Domino’s did not respond to the hackers demands.

Rex Mundi previously attempted to extort money from US loan company AmeriCash Advance as well Belgian hosting firm Alfa Hosting.

Topping the pizza

“I am otherwise a rational and sensible cybersecurity analyst, but I draw the line when someone messes with my food,” said Urban Schrott from ESET Ireland.

“And the hackers behind this latest attack did just that. In a bid to extort money from Domino’s Pizza, they threatened to publically post detailed info of 600,000 customers, including their favourite pizza toppings unless they’re paid a ransom of €30,000.

“The hackers aimed at possible lawsuits against the pizza company for breach of privacy, but a representative of Domino’s said the ransom will not be paid and that the customers’ financial data and credit cards were not compromised in the attack.

“Apart from changing your toppings, at least for a while, ESET Ireland therefore seriously advises you are careful with the personal data you share with companies and services you deal with.

“Know that, as in the case of this hack, if the data falls into the wrong hands, it can be used against you. Only disclose the minimum of necessary info and if you receive any suspicious email, claiming reference to some real info about you, double check if it is legitimate, before you do anything it’s asking you to do. When unsure, just ring the company in question and check.

Ransom – the hacker’s latest ploy

“Hackers are increasingly turning to ransom as a money earner but in this instance it seems they aren’t quite as greedy as others have been – £24,000 seems very low,” said David Howorth, vice president at AlertLogic.

“Dominos should remain vigilant and not agree to pay the ransom – the hackers have no ethical code of conduct, so Dominos should assume their customer data is already making its way to the criminal underground, where it will be sold. 

“Consumers should heed the security industry advice to change their passwords as soon as Domino’s have fixed the server vulnerabilities that enabled the hack to take place in the first place.

“Dominos obviously takes security seriously as it had used encryption for their customer data, but hackers will always exploit the weakest link; so Dominos needs to make sure it can monitor its data centre infrastructure for malicious traffic and vulnerabilities in real-time, 24 x 7. This will enable the company to be proactive in their defences and take remediation action before any future attacks take place.”

Pizza image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years