Domino's Pizza blackmailed over mass data leak

Fast food giant Domino’s Pizza has been held to ransom for €30,000 (A$43,500) after hackers stole over 600,000 customer details from a legacy platform used by the company’s European operations.

A group named Rex Mundi last week claimed to have breached the systems of Domino's operations in Belgium and France, and captured large amounts of customer data. Hours later, the group demanded the €30,000 from Domino's in exchange for not releasing the data.

The paste containing customer data has since been removed.

A Domino’s Australia spokesperson revealed the data in question involved names, email addresses and phone numbers. No financial records or bank account details were accessed as the company does not hold such data on file, the spokesperson said.

No Australian, New Zealand, Netherlands or Japanese customers were affected.

The hackers were able to access the data through a vulnerability in an old ordering site created in Europe, which is being transitioned to the new Australian-created platform over the next 18 months.

“We value customers’ privacy and we immediately took appropriate steps to close the vulnerability and are continuing to monitor the situation closely. The relevant teams are working closely with local police in relation to this matter,” a spokesperson said.

Domino's France has not indicated whether it will pay the ransom, but confirmed the data breach via Twitter.

The French arm of the global pizza delivery conglomerate said it uses encryption to protect commercial data, but in this case it did not help.

"The hackers we encountered are seasoned professionals and it is likely that they are able to decode the encrypted information, including passwords."

"We sincerely regret the situation and take the illegal access [of customer data] very seriously," it stated and advised customers to change their passwords.

But the hackers have claimed via Twitter that security provisions were not as strong as the company claims.

@dun4n The @dominos_pizzafr passwds are stored as unsalted MD5 hashes. Anyone can decrypt them either online or with CAIN.

— Rex Mundi (@RexMundi_Anon) June 14, 2014

Domino's online operations in France and Belgium are owned by ASX-listed Domino's Pizza Enterprises, which has been in the process of transferring its Australian-made iOS and Android apps to its European subsidiaries over the last 12 months.

None of the Australian created digital platforms were affected, a local spokesperson said.

The system in question may also have been hacked earlier than June 13. A letter to customers purporting to be from Domino's European chief executive Andrew Rennie and published on a Belgian blog said the company suffered an attack on June 9 resulting in data being leaked.