The hacker group Rex Mundi is (once again) up to no good.
According to the group's Twitter account, on Tuesday, June 10th, they notified Domino's French branch that they've allegedly gained access to 650,000 records from the pizza chain's Belgian and French customers... and this Monday was the deadline to pay up.
If you're a Domino's Pizza customer living in Belgium or France, you should probably be changing your passwords right about now. Here's the ransom note:
Dear friends and foes,
Earlier this week, we hacked our way into the servers of Domino's Pizza France and Belgium, who happen to share the same vulnerable database. And boy, did we find some juicy stuff in there! We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones. That's over six hundred thousand records, which include the customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not).
And the ransom amount? Thirty thousand euros.
Until their Twitter account (@rexmundi_anon) was suspended, the group was sending tweets to the customers as well, suggesting they complain to Domino's and, if the organization fails to pay, sue. (Rex Mundi did not, however, offer any suggestions on how customers might channel their rage toward the actual perpetrator... the hacker group itself.)
Domino's, meanwhile, says no.
Why would Domino's risk the backlash (and lawsuits) of 650,000 customers, when they could get out for a measly €30,000? Well, for one thing, it's a matter of principle.
It’s easy to point the finger of blame at the corporation for not protecting its customers data properly, and there are no doubt a lot of angry people in France and Belgium writing now ordering an Indian takeaway as a form of protest.
But we have to make a stand against criminals who attempt to blackmail and extort money out of the corporations they are attacking via the internet. We saw a fine stand made by Feedly the other day when hackers attempted to extort money, and I’m pleased to see Domino’s Pizza not bowing to the hackers’ demands either (source).
For another thing, while the risks are real, the situation could be a lot worse. While Rex Mundi says it has a lot of personal data on these customers, it does not have access to any payment data. Because, quite prudently, Domino's doesn't store that information in the first place.
What should Domino's do?
Responding to any data breach involves a precarious dance. To understand the complexities, look at this overview. If your organization were breached, would you know what to do?
What should customers do?
First off, understand who's affected. Pizza lovers in France and Belgium are the targets in this attack; however, "Domino’s customers in the UK and Republic of Ireland are not affected by this incident" (source).
If you think you may be affected by the Rex Mundi Domino's hack, make sure you're not using your pizza-ordering password anywhere else on the 'Net. Really, all of your passwords should be unique anyway. If you've been lax about following password best practices, now's the time to pick up the slack.
Finally, rest assured that Rex Mundi does not have access to your banking information. They know what pizza topping you like. They have all your "phone book" info (name, address, telephone number). They know your email address. But they do not know your credit card number.
Which, in the end, means they don't have much.