Cyber Incident Victim: Domino's Pizza

On June 13, 2014, the hacking group Rex Mundi publicly announced via Twitter that they had breached Domino’s Pizza systems in France and Belgium, compromising over 650,000 customer records. The group claimed to have exfiltrated 592,000 records from French customers and 58,000 from Belgian customers, posting a link to a since-removed dpaste.de file containing sample data. According to their tweets, Rex Mundi had notified Domino’s France of the breach on June 10 but received no response, prompting them to disclose the incident publicly four days later. The stolen data included full names, delivery addresses, phone numbers, email addresses, and passwords, though the article noted passwords were "hopefully salted and hashed." Rex Mundi explicitly demanded a ransom of €30,000 (approximately $40,619) to prevent public release of the data, but Domino’s did not engage with the extortion attempt.

Domino’s Pizza confirmed the breach on June 13, clarifying that no credit card information had been compromised. The company acknowledged the theft of personal customer data, emphasizing the risk of phishing campaigns leveraging the exposed information to target victims for financial fraud. Domino’s began notifying affected customers four days after Rex Mundi’s initial private notification, as highlighted in the hackers’ follow-up tweet criticizing the delay. The incident exposed vulnerabilities in Domino’s data security practices across its French and Belgian operations, though the company did not disclose technical details of the breach or specific containment measures. Rex Mundi’s public disclosure via social media amplified reputational damage and operational disruptions, forcing Domino’s to manage customer concerns while facing scrutiny over its response timeline. The breach underscored the growing threat of financially motivated cyber extortion targeting multinational corporations.