The extortionist hacker group Rex Mundi recently claimed to have stolen hundreds of thousands of European customer records from Domino’s Pizza, and threatened to published the data if a ransom wasn’t paid.
“Earlier this week, we hacked our way into the servers of Domino’s Pizza France and Belgium, who happen to share the same vulnerable database,” the hackers stated on dpaste.de. “And boy, did we find some juicy stuff in there!”
Domino’s France acknowledged the breach on Twitter and advised all users to change their passwords.
The hackers claim to have stolen more than 592,000 French customer records and more than 58,000 Belgian records from the servers. Each record lists the customer’s full name, address, phone number, email address, password, delivery instructions and favorite pizza toppings.
To prove they have the data in their possession, the group published three French customers’ and three Belgian customers’ names, addresses, phone numbers, e-mail addresses and passwords. (No toppings were revealed.)
The hackers say they informed Domino’s of the vulnerability in its servers, and threatened to publish the stolen data on June 16, 2014 at 8pm CET unless Domino’s paid them 30,000 Euros.
“So far, Domino’s Pizza has not replied to our demands,” the hackers wrote. “We would also like to point out that both of their websites are still up and vulnerable.”
As of this writing, there’s been no further communication from the group, and Rex Mundi’s Twitter account has been suspended.
The Daily Mail reports that Domino’s Pizza executive Andre ten Wolde insisted that the ransom will not be paid, and stressed that no financial information was compromised.
However, Malwarebytes senior security researcher Jean Taggart said by email that the “no financial information” statement rings hollow.
“A leak involving a home address, a valid email and a phone number seems damaging enough,” Taggart said. “Kudos to Dominos for refusing to cough up ransom money, which would have set a bad precedent, but they should shutter their online ordering site until they have corrected the flaw that leaks out their users’ personal information.”
While Rex Mundi has published stolen data in the past, it appears that few if any of its victims have given in to its ransom demands. In June 2012, Rex Mundi published AmeriCash Advance customers’ personal and financial information after the payday lender refused to pay $15,000; in July 2013, the group published 6,000 Numericable customers’ personal information after the telco refused to pay 22,000 Euros; and in April 2014, the group published 12,000 AlfaNet customers’ names, and threatened to publish additional data unless the Web host paid them 15,000 Euros.
Still, RedSeal Networks CIO Steve Hultquist said by email that this kind of ongoing activity makes it clear that for cybercriminals, hacking is now a business. “Organizations are investing significantly in order to reap criminal benefit and they are not hesitant to make their activities known,” he said.