The data published by hackers includes information about people’s phone numbers, email addresses, and addresses where they ordered pizza.
Two months after Domino’s Pizza’s customer data was compromised, and a few days after hackers made the data publicly available and searchable, parent company Jubilant FoodWorks experienced an “information security incident” on March 24. Was notified to the customer. According to customer communications, no financial information has been leaked. However, with the information published by the hacker, anyone can enter their phone number or email address to find out other details about the person, such as the address where they previously ordered the pizza and the amount spent ordering the pizza chain. can do.
After the link became available, we also have a round in the WhatsApp group. In a few days, the page received over 800,000 page views and over 6 million searches. The company warned users after cybersecurity researcher Rajshekhar Rajaharia tweeted that links were now appearing in Google searches. “Our privacy is now searchable on @Google,” he said. Nonetheless, Domino’s Pizza does not reveal or address what kind of information was affected by the breach.
Aaron Gull, CTO of cybersecurity firm Hudson Rock, said in April that an attacker had hacked an Indian database of 13TB worth of Domino’s Pizza, followed by Rajaharia’s Domino’s. He said he was the first to report to India’s node cybersecurity agency CERT-IN that India had been attacked by a hacker in March.
According to experts, the effects of such breaches can be multiple. “This means that these individual customers can be abused. It’s a big exposure because not all consumers have such an education,” Cyber said. Raja Ukil, Senior Vice President and Global Head of Enterprise Business at security startup ColorTokens, and former Global Head of Cyber Security and Risk Services at Wipro, said.
The Indian Free Software movement said it would bring the matter to court after writing a letter to CERT-IN calling for an investigation of the case, but no response was received. Gagan Jain, CEO of CyberSafe Bengaluru and a cybersecurity expert, says it’s easy to identify a person through an address, phone number, and email address. “For example, if you receive an email from one of these violations, you can see where you currently have an account. You can log in anywhere with the same password,” he says.
Rajaharia previously stated that the worst part of this breach was that people were using this data to spy on people. “Anyone can easily search for mobile numbers and see past location and dates. This seems like a real threat to our privacy,” Rajaharia said. I said earlier..
Gagan says that most people only look at the financial side of security breaches, and the average person may even believe that they don’t have much financial exposure, but he goes beyond that and is a matter of identity. Gagan gives an example of fake identities such as passports and Aadhaar cards created from data obtained from such breaches and sold on the darknet.
Need for regulation
Domino’s Pizza data breaches are just the latest in a long list of companies that have recently leaked data. It keeps repeating and endangering more people, but it has no effect on the company itself. “Today, companies that are victims of data breaches are not only responsible for protecting consumer data, but also for preventing cybercriminals from misusing data as a result of data breaches,” he said. Kaspersky (South Asia).
Raja Ukil of ColorTokens says it’s time for India to enact data protection legislation. “There is a strong need to introduce regulations on cybersecurity and compliance. It’s up to companies to comply with what they want, and many do not follow structures or methodologies,” he says. He said that in a consumer company, customers are expected to provide a lot of information that their business probably doesn’t need other than customer profiling, but don’t let them sign up unless they provide that information. Please give me.
“Privacy alone is not enough. We need regulators to ensure that regulations, audits, and security controls are in place. We need that time,” he said, requiring reporting violations and penalties. Must be imposed. “If necessary, we need regulators who are empowered to penalize people and ban business. Every listed company has an obligation to shareholders. It can have a significant impact on shareholders. If there is a sexual breach, we need regulations to report it to the BSE and NSE, “he adds.
Why companies should proactively disclose infringement
Kaspersky Lab, a cybersecurity company, actively discloses data breaches not only to help maintain trust and transparency among consumers, but also to reduce the costs incurred by such data breaches. It says it will be useful. Kaspersky added that the overall cost of an information breach often depends on how the breach is disclosed, according to a recent report. “It may be tempting to try to solve a problem quietly without being known to the public, but it is much more effective for a company to proactively disclose what happened. Losses can increase. To reduce sexuality, organizations can control the situation and publicly inform that an infringement has occurred, “says Kaspersky.
According to Gagan, the first thing companies should do when something happens is to reset all accounts in the database instead of emailing consumers to change their passwords. In this way, he says, customers need to change their passwords.
What you can do to protect your data
Other accounts are also at risk because many people use the same email address and password for multiple accounts. Gagan suggests forcing two-factor authentication to be enabled for all accounts and recommends apps such as: AuthenticatedIn addition, people need to have a secondary email address that does not contain personal information that can be provided to businesses or organizations, and the primary email address should be kept only by trusted people, he says.
Below is a list recommended by Kaspersky Lab in the event of a data breach.
> Notify the bank or financial institution that has an account if the leak may be related to your financial information.
> Change passwords for all accounts. If your account has security questions and answers or PIN codes associated with them, you will need to change them as well. One of the hallmarks of many publicly reported security breaches is that they occurred over a long period of time, some of which were not reported until years after the breach. By changing your password regularly, you can reduce the risk of unannounced data breaches. Use a different password for each account to ensure that if one account is compromised, the other account will be secure.
> May consider credit freeze. This prevents someone from using your data to steal your personal information or borrow your name.
> Check your credit bureau and use your details to see if anyone is applying for a loan.
> Attempts to accurately find data that may have been stolen. Then you will know the seriousness of the situation. For example, if your tax details or other ID number (Aadhaar / PAN) is stolen, you need to act quickly to prevent your identity from being stolen. This is more serious than simply losing your credit card details.
> Do not directly respond to requests from businesses to provide personal data after a data breach. It could be a social engineering attack. Take the time to read the news, check the company’s website, or call customer service to see if your request is legitimate.
> The stolen data can appear on the dark web years after the first data breach. This could mean that an identity theft attempt occurred long after forgetting the data breach that compromised that account. Monitor your account for signs of new activity.
> Close unused accounts instead of leaving them dormant. This reduces your vulnerability to security breaches.
> Protect your phone. Use screen lock and update your mobile phone software regularly. Do not root or jailbreak the phone. Rooting the device allows hackers to install their own software or change phone settings.
> Make sure you use the secure HTTPS protocol as well as HTTP when accessing your account.