A campaign by hackers to deface and steal data from the web-facing systems of Australia's largest fast food chains put Domino's Pizza's security posture to the test late last year.
The pizza chain was forced to fend off daily attacks on its website over two weeks last November after hackers 0-Day and Pyknic attacked rival Pizza Hut earlier in the same month. The pair defaced the Pizza Hut website, stole customer data and published links to Domino's website from the disfigured site.
"It has come to my attention that we have absolutely ripped apart your internal security system,” read a message on the Pizza Hut website, alongside a red button telling visitors to visit Dominos.com.au.
Dominos CIO Wayne McMahon told iTnews the company spent the next few weeks fending off 24/7 attacks from “every hacker worth his salt” - none of which were successful.
“I don’t know these people, and they didn’t send me an email and say ‘this is what we’ve done’, but for some reason they chose to put a button linking back to our site. In doing so they out a nice big target on our website, because every hacker worth their salt had a go at us."
Dominos was able to keep its website secure via a relationship with hosting partner Telstra. Telstra provides an all-of-business solution for Dominos including voice, data and hosting. McMahon had moved Domino's to Telstra after ending a standard co-lo arrangement in Soul/TPG's Brisbane data centre.
McMahon said Telstra’s 24/7 proactive security services ensured none of the attacks, ranging from DoS to more 'sophisticated’ attempts, could penetrate the website. Dominos does not store customer details on its website.
“I don’t rely simply on static firewalls, I have a whole managed service around security that comes with cloud,” he said.
He said such attacks were one of the risks involved in being a recognised brand with digital operations.
“The minute you put any kind of web server in the public domain, at some point it will be attacked. It’s part and parcel of being on the internet and in the public domain, particularly when you’re a very well known brand such as Dominos.”
McMahon acknowledged not all e-tail operators can afford the security systems and services protecting Domino's. While any company playing in the digital area needed to secure their website, it ultimately comes down to a cost versus risk decision, he said.
“I honestly would suggest to anybody putting a website in the public domain they very strongly consider cloud services. Part of [what comes with it] is a security regime, and they need to look very strongly at that. Simply putting static firewalls out there is a risk, it gives people time to analyse those firewalls and try various things.”
McMahon said the security benefit of using cloud services over running servers in-house was the capability and capacity of a cloud provider.
“You could have the capability in-house, but it would be horrendously expensive. Outside of the big banks, when it comes to putting that many people on, as well as the tools they need, the qualifications and the up-to-date knowledge, that would be cost prohibitive for most companies,” he said.
“[With Telstra] you get a whole command centre of engineers who proactively monitor the front end of the solution, proactively engaging technically to solve security breaches.
"In most in-house operations you might run a single firewall, and you may monitor its health, but you aren’t literally monitoring every packet that hits that firewall."