Hackers have stolen data on more than 600,000 Dominos Pizza customers in Belgium and France and threatened to publish the data unless the company pays a cash ransom.
At risk are customer names, delivery addresses, phone numbers, email addresses and passwords which were taken from a server used in an online ordering system that the company is in the process of replacing.
Dominos spokesman Chris Brandon said at this point it was not clear if the stolen passwords had been encrypted.
Using Twitter the hackers said that they would publish the customer data on the Internet unless the company pays $40,800.
Dominos said that it was unaware of ransom demands, but that the company would not be making any such payment.
Domino’s Vice President of Communications Tim McIntyre said the hacking was “isolated” to independent franchise markets of Belgium and France, where the company’s online ordering system did not collect credit card orders, so no financial data had been taken.
Andy Heather, VP EMEA at Voltage Security said that holding companies to ransom was becoming a tool of choice by hackers who saw the value of personal data.
“The theft of financial information has a limited lifespan, because the victim changes the account details etc. But the personal information that can be obtained has a much broader use and can be used to commit a much wider range of fraud and identity theft, and cannot be changed,” he said.
Heather said that the Dominos breach highlights a need for companies to place tighter controls on how their customers’ sensitive information is stored and protected.
“If Dominos had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers’ personal information is now in the hands of cyber criminals,” he said.