Cyber Incident Victim: Domino's India

In April 2021, a threat actor advertised the alleged theft of 13 terabytes of data from Domino’s Pizza’s Indian operations on the dark web. The actor claimed the dataset included details from 180 million orders, containing customer phone numbers, email addresses, physical addresses, and over one million credit card details. Cybersecurity researcher Rajshekhar Rajaharia had previously alerted India’s Computer Emergency Response Team (CERT-In) about potential data exposure on March 5, 2021, over a month before the dark web advertisement surfaced. Alon Gal, co-founder of threat intelligence firm Hudson Rock, publicly highlighted the breach claim via social media on April 18-20, amplifying awareness of the alleged incident. The threat actor explicitly linked the data to Domino’s India and marketed it for sale, asserting it originated from the company’s systems.

Domino’s India issued a statement denying any compromise of financial data, asserting that the company does not store credit card information. The organization did not confirm or address the alleged theft of non-financial customer data such as order details and contact information. The threat actor’s advertisement suggested possible connections to an earlier breach involving Indian mobile payments platform MobiKwik, though no conclusive evidence substantiated this link. The incident raised concerns about the exposure of personally identifiable information (PII) for millions of customers, including risks of phishing, identity theft, and financial fraud. Rajaharia’s prior alert to CERT-In indicated potential vulnerabilities in Domino’s infrastructure preceding the public disclosure, though the timeline between initial detection and the dark web listing remained unclear.