Domino’s breach underlines value of personal data, say experts

The latest cyber breach to hit a high-profile brand underlines the high value of personal data, say security experts

The latest cyber breach to hit a high-profile brand underlines the high value of personal data and the need for businesses to increase defences around such data, say security experts.

Hackers have demanded ransom of €30,000 from Domino’s Pizza after stealing the personal data of more than 600,000 of the firm’s customers in France and Belgium.

Calling themselves Rex Mundi, the hackers said in a posting on Pastebin that if Domino’s failed to pay the ransom by 8pm CET on Monday, they would publish the data, which includes postal and email addresses, phone numbers and passwords.

Domino’s said in a tweet that although the passwords are encrypted, the hack was carried out by “seasoned professionals” and it is likely the passwords will be cracked.

“This is why we recommend that you change your password for security reasons. We strongly regret this situation and take illegal access very seriously,” the firm said its official Twitter account for France.

But Domino’s Netherlands spokesperson, Andre ten Wolde, told De Standaard that the company would not be paying the ransom and that no financial data had been stolen.

“The data hacking is isolated to the Domino’s franchise in France and Belgium,” the Domino’s Pizza Group told the Guardian.

More on data breaches

"Domino’s customers in the UK and Republic of Ireland are not affected by this incident,” the statement said.

The pizza group added that the UK website is tested regularly for penetration as part of “ongoing rigorous checks and continual routine maintenance” of Domino’s online operations.

“The value of personal data continues to be recognised by hackers, who are now attempting to use the data to hold companies to ransom,” said Andy Heather, vice-president Europe at Voltage Security.

“Where previously financial data was the key target of the hackers, the theft of financial information such as credit card or account information has a limited lifespan – until the victim changes the account details.

“But the personal information that can be obtained has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed,” he said.

For this reason, personal data has a much greater value, which is reflected in the fact that the price for a single stolen credit card is around $1, but increases to $500 if sold with a full identity profile.

“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is stored and protected,” said Heather.

But, he said, even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances.  

“Therefore, a company needs to assume that all other security measures may fail, and the data itself, including all personal data, must be a primary focus for protection, usually through encryption,” he said.

Peter Armstrong, director of cyber security at Thales UK, said Domino’s must now ensure it has regular checks for malware in place as cyber hacks are rarely isolated incidents.

“Thales has audited many large organisations which believed themselves secure, when in reality around 80% of cases we found their networks riddled with Malware,” he said.

Armstrong praised Domino’s for alerting its customers to the breach and ensuring that the adequate measures, such as changing passwords, have taken place.

However, he said Domino’s needs to remember that such precautions and governance need to be reviewed continuously.

Online auction site eBay came under fire recently after it took weeks to notify customers of a breach of its systems and was slow in alerting users to reset passwords.

Read more on Privacy and data protection