Cyber Incident Victim: Domino's Pizza

On October 17, 2017, Domino's Pizza Australia customers began reporting receipt of personalized spam emails referencing their first names and residential suburbs. Initial complaints surfaced on Reddit, where users described receiving phishing emails that appeared to originate from Domino's. One customer reported being told by Domino's helpline that a "secondary supplier's" system had been compromised. By October 19, Managing Director Don Meij confirmed via corporate statement that store names, customer email addresses, and order details had been stolen from an online rating system managed by a former supplier. The company asserted its own systems showed no evidence of compromise and emphasized that no financial data—including payment card information—was accessed, as such data was not stored in their systems. Domino's initiated an investigation upon discovering the issue, though the exact timeline of initial detection remained undisclosed.

The incident triggered customer frustration over delayed notification, with social media posts criticizing Domino's for failing to proactively disclose the breach. Facebook user Mitchell Dale cited the eeriness of targeted spam bypassing filters and condemned the company's communication approach as damaging to trust. Domino's formally notified privacy regulators in Australia and New Zealand, where most complaints originated, while maintaining that its websites remained secure for transactions. The company advised customers against clicking suspicious links and confirmed no account updates were necessary. No threat actor attribution or specific compromise timeframe was disclosed. Customer impacts centered on spam proliferation and privacy concerns regarding exposed personal identifiers, with some individuals publicly severing business relationships with Domino's over transparency failures.