Domino’s hack lesson - encrypt

Domino’s brings out the standard calls and advice for security experts, plus a tinge of sadness that the advice still needs to be repeated

  • 10 years ago Posted in

There are a couple of fascinating aspects to the recent hack of Domino’s Pizza, not least being the fact that the hacker is holding information about the company’s customers to ransom for what seems quite a small sum, €30,000 (£24,000).

This suggests two things: one that the hacker understands the market price for the information – the company is likely to get stung with a fine of at least £50,000 for the breach, so pitching the ransom at half-price would let the company off lightly. The second is that, with a gross `return on investment’ of just £24,000 this suggests it was quite an easy hack to create and implement. It also, quite possibly, suggests that the hackers have a market for the data regardless of whether Domino’s pays up or not.

Hackers who cracked the Domino's Pizza database say they have stolen the details of more than 600,000 customers – including their favourite toppings. Shared servers in France and Belgium have been claimed as being `vulnerable’ and were compromised, with a range of customer details stolen.

The exploit has prompted several noted security experts to comment on it, including  Andy Heather, VP EMEA at Voltage Security, and TK Keanini, CTO at Lancope. Perhaps the saddest observation of all is that the advice they offer is hardly new or unusual, but has to be repeated nonetheless.

According to Heather, the value of personal data continues to be recognised by hackers who are now attempting to use the data to hold companies to ransom.

“Where previously financial data was the key target of the hackers, the theft of financial information (credit card or account information) has a limited lifespan, until the victim changes the account details etc.,” he said. “But the personal information that can be obtained  has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.

“The value of this personal data to the cyber-criminal has a much greater value,  for example where the selling  price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500. If the cyber criminals know where the real value is then surely we should all expect responsible organisation to pay appropriate attention to keeping our personal information safe.

“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is stored and protected.  If data is left unprotected, it's not a matter of "if" it will be compromised - it's a matter of "when".  Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances.   When a company is storing sensitive information about their customers, the risk is to the data itself.  Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection - usually via encryption.  It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data. 

“If Dominos had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers' personal information is now in the hands of cyber criminals.”

 

According to Lancope’s TK Keanini, ransomware of all types are on the rise because the inventions of crypto-currency like Bitcoin and others lets the hackers operate with a functional currency that does not compromise their anonymity.

“While retail has been in the news lately with a lot of data breaches, if you have a lot of personal data on people, the more people you have the more attractive you are to these criminals.  If you have not been hit yet, now is the time to prepare with an incident response readiness that will ensure business continuity.  It is just a part of doing business in this age of the Internet. 

“Domino’s in particular needs to treat this event as an ongoing business problem and not as a one-time event.  They should provide leadership and expertise to all of their stores and deliver the operational visibility required to ensure early detection of this type of threat.  While getting in again is likely, they must raise the cost to this adversary to hide and operate.”

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.