By Nitin Pandey; Cyber security Expert.

Users, e-mails IDs and passwords of hundreds of Union Government officials have also been compromised and are now exposed to hackers

In a recent catastrophic incident, phone numbers, addresses, GPS location, email addresses and even ‘order amount’ of millions of Domino’s patrons in India was leaked on the internet on May 21, 2021.

This is one of the most shocking data breaches of all time that poses some very serious security concerns for India. People/entities with mala fide intentions can easily misuse that data and, in turn, can pose serious consequences, including, but not restricted to, threat to life and security of both individual patrons as well as to entire groups of people.

A certain link on the dark web is being disseminated in the IT circles as well as in the criminal ones. This link(Redacted to minimize the imminent threat as much as possible) opens up a webpage which is allowing users to put in any number or email which would expose private data results of countless patrons of Domino’s India.

Although Jubilant FoodWorks, which holds the master franchise of Domino’s in India, said, “No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact.” but the website claims that all 13TB of private data will be made public soon.

When the query is fed in the search box, the following details are provided –

If you are reading this and have ever used Domino’s, your data is out in the open.

Mobile Number, Email, order amount and details, addresses where the orders were received, and the coordinates of the location. Although, the payment details are not made public by the hacker as yet, he/she threatens to do that soon enough.

So, even while you are reading this, some technologically erudite stalker could be out there collating the addresses and GPS coordinates of all who have used Domino’s in the past. In our words, if you are reading this and have ever used Domino’s, your data is out in the open, just waiting for some malevolent entity to misuse it and potentially cause you and all others like you a lot of grief in the days to come .

There have been several verified accounts of men and women who have started receiving strange promotional messages since the past  couple of days are feeling uncomfortable already.

How does this data breach pose a threat to individuals?

 The Tip:

Let’s undertake a careful analysis of how much of a risk such data leaks poses to the citizens of our nation:

Any person/agency with criminal intent, and especially stalkers, can access this data and easily home in on their chosen target. So, if someone has your number, they can run a search on this database and locate your physical home/work address. They might show up on your doorstep or follow you. But that’s just the tip of the proverbial iceberg. Endless opportunities can be mined out of this database.

Since the list of addresses where Domino’s delivered for a particular consumer would also be made available, this would reveal the location of that person on the particular days. At the lower end of the threat spectrum, this can especially hurt the partners/spouses who have cheated on their other halves and then decided to ‘celebrate’ their indiscretions by snacking on a delightful Domino’s Pizza with their ‘partners in crime’ before heading back to home and hearth.

Any potential blackmailers who have purchased this data can filter these results and easily target such ‘adventurers’ who prefer to walk on the wilder side. Such crooks  can contact them, directly, or indirectly, and eventually blackmail them for money, or even trade/ state secrets in exchange for their continued silence on the infidelities and indiscretions of their targets.

As said before, some people have already started receiving messages and calls from random unknown numbers (even international) since this incident came to light.

A much bigger threat?

The iceberg:

There are substantial big data implications of this data breach. The hacker has brazenly enough provided their email ID to invite all and any ‘interested’ parties’ to purchase for a whopping 13 Terabytes of personal data available for sale.

To begin with, targeted ad marketing agencies have already started accessing this data. Now they are able to figure out their target audience and are targeting advertisements towards them. This subverts the principles fair business practices, and in turn, even directly promotes Unfair business practices defined as fraud, misrepresentation, and oppressive or unconscionable acts or practices by business, often against consumers, by giving an exponentially undue advantage to those firms who have paid for access to this illegally obtained data.

.

Terrorist organizations, typically target ghettos, slums and even entire population clusters could be sorting out the mobile numbers of their ‘target demographic’ population on the basis of geolocation. For instance, they, or their handlers sitting in Bangladesh or Pakistan  know that a certain area in a city is infamous for hosting gangsters, producing criminals or a hub for extremism, they can filter the mobile numbers in the database by dropping the coordinates of locations around them. These numbers can then be contacted by such organizations for the purpose of pushing a social engineering manoeuvre with the insidious intention of manipulating our citizens living in those areas into becoming seditionist proxies, or even more dangerously, fresh recruits.

The same approach can be used by drug cartels which quite often are either run by terrorist organizations, or have links to many. These purveyors of slow death too can buy this data and then target the ‘at risk’ population directly. They can gauge the economic condition of a user by looking at their average expenditure on Domino’s.

‘Carders’ (hackers or scammers who store and use stolen card information to make illegal purchases) too stand to accrue a veritable goldmine of information about the credit and debit card details if the hacker releases that information as well. These scammers would be only be too happy to create a massive wave of carding incidents in the near future. It’s just a matter of time until that happens.

Political parties who will buy this data would also get the list of numbers in their constituency and would easily be able to push an SMS campaign, more efficiently than their opponents. This would put others in a position of disadvantage as they might not have enough resources to access such data. And that would exponentially subvert our democracy.

Finally, professional hit men, terrorist organizations, foreign intelligence agencies, can easily buy this data and use it to blackmail, surveil, and even potentially, assassinate those whom they consider an impediment to their nefarious objectives. In the interest of self preservation, the political, law enforcement and intelligence communities must do everything within their powers to mitigate the situation.

Just how did we drop the ball?

Firstly, this blame data breach lies squarely at the doorstep of information security officers of Domino’s India (i.e. Jubilant FoodWorks). Furthermore, the Ministry of Electronics and Information Technology, under the auspices of the Government of India, must also be held accountable for being myopically apathetic to the writing on the wall, and for progressively delaying the implementation of the Personal Data Protection Bill..

Personal Data Protection Bill India

The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same. The Bill also categorised certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, etc.

This bill empowers the citizens and makes the data holders accountable. Not just the data being collected by the Indian companies but also the foreign companies which have personal data of Indians are subjected to scrutiny under this bill. Tough penalties have been laid down in this bill in case of violations and  therefore would determinedly remedy the existing situation vis a vis data privacy in India.

However, the standing committee on the bill has been perplexingly seeking extension after extension since early 2020, when this should have been passed in the parliament.

What Former Dy National Security Advisor says about the leak

“Nitin Pandey’s write up on the Domino data leak brings out the potentially dangerous dimensions of its misuse. In a language understandable to common men, he has explained the process which the hackers use to filter the big data for specific misuse that can harm not only individuals but larger segment of populations. The big data collected from the Domino can be used by terrorist outfits for recruitment, by the political parties for publicity, by the commercial firms for promotional campaigns and by stalkers for targeting their victims. He rightly points out that there are number of possibilities. The mobile numbers, e-mails, addresses of delivery can be used to find out coordinates through the process of filtration. The dark side of the cyber space in which anything can be blown out of proportion and out of context within seconds that influences all has been projected very well by Shri Pandey. He has also underlined the urgent need for approval of the Personal Data Protection Bill of 2019 at the earliest. Importantly, Shri Pandey, a known specialist in the field of cyber security and cyber -crime, has very clearly recommended the role of corporates and the steps needed to be taken by individuals for the protection of the personal data. The article deserves attention of all citizens as cyber-space and Internet of Things have become inseparable parts of our lives.”saidDr S D Pradhan, Former Dy. National Security Advisor, Government of India

Corporate Responsibilities

The general practice of information security audits have been adopted by companies but that is exclusively to protect only their business interests. Unless legislative reforms like the PDP bill are into place, the corporates would continue to overlook security vulnerabilities in their systems.

Smith Gonsalves, Principal Consultant & Director CyberSmithSECURE said, “It is very important that the senior management in enterprises be able to simplify security risks to the boards and help those organisations understand the ROI on cyber security. It not only protects the privacy of its users but also prevents business shutdowns.”

Airtel recently announced that they would be investing a huge chunk of their new investments in cybersecurity. More such companies are alarmed by this data leak and are hastily working towards establishing more robust cybersecurity measures.

Past incidents of private data leak

Air India, Dr. Lal Pathlabs, MobiKwik, SBI, BigBasket, Unacademy, Upstox, JustDial, DigiLocker etc. are in the list of companies, banks and Government portals which suffered the most recent cybersecurity incidents. While some accept their data leaks, the others outrightly deny them.

These leaks pose not only a major threat to our right of privacy , but also  a collective threat to our society and nation. It’s high time that the government holds these corporations accountable and passes the Personal Data Protection Bill as soon as possible.

Views of Cyber Security and Forensic Experts of India

“The leaked database includes details like users’ phone numbers, addresses, and the number of orders they have placed with Domino’s. Malicious users are using this data to spying on people and also see the past locations with date and time. Which is an extremely dangerous and big invasion of privacy. Businesses who are a victim of a data breach today not only are responsible to protect their consumer’s data, but also prevent it from being misused by the cybercriminals as an aftermath of a data breach.”says Harsh Mukeshbhai Joshi, Information Security Group, HDFC Bank.

GopikaBaghel, Cyber Crime Consultant at Chhattisgarh Police said “Due to this breach, privacy and safety of millions of people is compromised mankind safety is an endangered, especially when you are using the internet to carry out important tasks like online banking and sharing your personal details. It can also cause significant economic loss to the business affected and also losses of competitiveness and reputation. Government should intervene and make strict law against these companies for not securing sensitive data of Indian users. Also, regular audit must be done to identify potential gaps in cyber compliance. This will help in building security areas. This audit can consider dynamic nature of the organization as well as how the organization handles information security.”

“Right to privacy is a fundamental right of every Indian as per the Supreme Court of India. It is really unfortunate to see how irresponsible Government of India is about Users’ Data and Privacy. Thanks to Mr Nitin Pandey for highlightingthis Data Leak which is need of the hour.” says Mrityunjay Mishra, a Cyber Security and DeepFakesResearcher.

Apart from the above, users, e-mails IDs and passwords of hundreds of Union Government officials have also been compromised and are now exposed to hackers. All of this could be attributed to the recent data breaches from Domino’s, Air India and Big Basket. The government has warned officials about this now. Sources say that even the @nic.in and @gov.in domains pose a threat now as they are being maliciously used by hackers to send emails to government users.

How to protect yourself from such data breaches

Today was Domino’s, tomorrow would be another application, possibly containing more personal data of ourselves. This warrants immediate attention by the authorities, but for the time being, we have to do our parts.

1. Always use UPI for payments. This adds an additional layer of banking security to each transaction. Please not, wallets, such as PayTM, and saved card information on applications are often subjected to such data leaks.
2. Do not overshare your data online.
3. Do not unnecessarily permit applications for the permissions which they do not require, may that be messages, call logs, camera permissions, etc.
4. Change your passwords from time to time and refrain from saving your card’s information on such applications.
5. Backup your data and system regularly.
6. Corporates should conduct regular cyber security trainings for their employees and audit their infrastructure.
7. Keep your apps, software, plugins and operating system updated to the latest version.
8. Keeping a strong and complex password and change it periodically.
9. Companies much have a quick breach response plan. Government should make some policies to regulate them.
10. Data encryption is a significant defence against such breaches because in many cases we have seen that encrypted data is essentially garbage for cybercriminals especially when they cannot decrypt it.

About the Author:

Nitin Pandey is a renowned Cyber Security, Dark Web, Counter Terrorism Researcher and Cyber Crime Investigator, currently working as a Consultant with Uttar Pradesh Police. A globally acknowledged expert, he has more than a decade’s  experience in the field of Cyber Security.

Twitter/Instagram: @initinpandey, Web: https://nitinpandey.info, Email:contact@nitinpandey.info

*************************************************************

Edited by PK Waghare

Read more on Cyber security

Japan’s missile design theft—lessons for India

World War III Has Begun and We Are Unaware

Is China planning cyber 9/11 in the sea? Maritime transport most vulnerable to cyber attacks

2 Cyber Attacks Which Almost Lead to a War Not Many are Aware of

Why new Indian military doctrine should consider “coercive disclosure”?

NOTE-  Articles published under “RESONANT NEWS” are written by Guest Writers/Authors and Information/Facts/Opinions expressed within this article are on an as-is basis or personal opinions of the author. The information, facts, or opinions appearing in the article do not reflect the views of Resonant News and Resonant News does not assume any responsibility or liability for the same. Resonant News is not responsible for the accuracy, completeness, suitability, or validity of any information on this article. The article is for information purposes only and not intended to constitute professional advice.