Cyber Incident Victim: Domino's Pizza
Date:
Jan 2022
Location:
Turkey
Summary
A pizza chain experienced a cybersecurity incident involving unauthorized access to customer data after receiving an extortion email from an unidentified party. The compromised information potentially included names, contact details, and customer numbers, though financial data remained unaffected as the company did not store credit card information. While the validity of the breach claims couldn't be fully verified, the organization proactively notified affected customers, mandated password resets, and advised vigilance against phishing attempts. Legal measures were initiated through criminal complaints to relevant authorities, alongside mandatory disclosures to data protection regulators. The incident prompted broader security recommendations for customers regarding credential reuse across multiple platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 9, 2022, Domino's Pizza Turkey received an email from unidentified individuals claiming possession of customer data, prompting an internal investigation. The company confirmed potential unauthorized access to customer names, surnames, contact information, and customer ID numbers but found no evidence of financial data compromise, as it does not store credit card information. While unable to fully verify the attackers' claims, Domino's acknowledged the possibility of a data breach affecting some customers. The company proactively notified customers via email on January 1, 2022, advising password changes for Domino's accounts and other platforms where identical credentials might be reused. Technical measures were implemented to force password resets, with customers encountering error messages when attempting to log in with old credentials. Domino's recommended enhanced security practices, including creating strong passwords and avoiding suspicious links in unsolicited communications.
Domino's Pizza Turkey filed a criminal complaint with the Republic Chief Public Prosecutor's Office and submitted mandatory breach notifications to Turkey's Personal Data Protection Authority (KVKK). The company emphasized its adherence to technical and administrative safeguards for data protection while citing increased cyber threats targeting organizations. No operational disruptions to pizza ordering systems were reported, though credential-related login issues necessitated customer intervention. The breach notification highlighted transparency as a core principle in its response, distinguishing between compromised personal identifiers and unaffected financial datasets. Forensic controls and regulatory compliance procedures were activated, though the specific attack vector and exact number of affected customers remained undisclosed in public statements.