Hackers Try to Extort Domino's Over Stolen Data

Domino's pizza
Fred Prouser/Reuters

Last week, in an effort to extort $40,700 from the global pizza chain Domino's, a hacker group stole and is now ransoming the personal data of some 650,000 customers in France and Belgium. In a post published after the attack, the group, Rex Mundi, gave the pizza conglomerate until 8 p.m. CET to comply with its demands. Otherwise, the hackers wrote, they would publish the customers' information, including names, addresses and "favorite pizza topping as well, because why not?"

In its post, Rex Mundi claimed to have taken the information of 592,000 customers in France and 58,000 in Belgium. From six of these customers, the group published sample information. The data on each seem to vary, in some cases they also included phone numbers, e-mail addresses and passwords (presumably to their account on Domino's site). None of the examples mentioned pizza toppings.

"The hackers we encountered are seasoned professionals, and it is likely that they are able to decode the encrypted information, including passwords," a Domino's representative in France told iTnews. In a tweet that's since been deleted, Rex Mundi countered that, because of the relatively insecure way Domino's in France and Belgium supposedly store their passwords, "Anyone can decrypt them either online or with CAIN." (The latter is presumably a reference to a password recovery and decryption tool, Cain and Abel.)

Domino's did not respond directly to the hackers, but according to Tim McIntyre, the company's vice president of communications, "there are no plans to pay off this extortion threat."

The breech, McIntyre wrote in an e-mail to Newsweek, "does not affect any market outside of France (229 stores) and Belgium (24 stores)," which he described as independent franchises. He added that because the computer systems in the two countries are "a bit outdated," they do not accept credit card orders. As such, no financial information was compromised.

In the U.S., Domino's computer system is more sophisticated and does accept credit card orders. Presumably, this makes the system immune from attacks similar to Rex Mundi's. "Plans were already in place to have the [French and Belgian] system roll over to the platform we use in the U.S.," McIntyre added.

Rex Mundi claimed in its post that the hacked sites were still vulnerable. According to McIntyre, they have been secured.