Yet another data breach incident-Domino’s-Jubilant Food works

About a month back, it was reported that Dominos India had suffered a data breach. The data appears to have now been available on dark web.

In the context of this breach we the professionals need to discuss

a) The extent of harm caused

b) The cause of data breach

c) Remedies to mitigate the damage

d) Preventive measures

The above article in livemint.com provides some details about the incident. There are many other articles in the media giving similar information.

Let’s place some brief thoughts for further discussion based on the information presently available in the media.

Data Compromised

1.Number of Data Sets compromised :

18 crore orders, 1 crore credit cards

2.Total value as sold in the Dark Web :

Rs 4.5 crore (10 bitcoin)

3.Type of data:

Full data set consisting of Name, Address, Mobile number, E Mail address, Geo location at the time of order as well as payment related data which may include credit card data. Whether the credit card data was masked and whether CVV data was also compromised is not yet known.

4. Possible Harm

Th email address and Spam can be used for spamming, further phishing, resetting of passwords in Bank accounts etc. Credit card information may be used for cloning of cards. Geo location can be used for further spying. The identity theft may be used for many other offences also. In case CVV has been stored and also compromised there is a need for all users to replace their cards.

The potential harm is of financial loss, reputation loss, harassment, stalking, bullying etc.

It appears that the data breach was discovered in April when perhaps the hackers demanded the ransom. It is not known whether the ransom was paid or rejected. But now the data appears to have been put up for sale for a price of 10 bitcoins.

There is no information on reporting of the data breach either to CERT-In or to the data subjects.

The organization admits the data breach but says that the customer’s financial data is safe.

As per one report  ,the data was taken from the internal files of the company between 2015 and 2021. If so, it could be an employee hack which went undetected for a long time due to the gross negligence of the security system. Jubilant Food works which is the Indian listed company responsible for the security of this data has not yet disclosed the breach information on its website.

JFL website also reports that it won a Golden Peacock award in FY 16 which included “Risk Management”. Probably the “Risk” here referred to food related risks. It would be interesting to see if the award providing agency provides any clarifications.

The independent directors of the Company need to also come out with their view on the cause of the data breach, its impact, the remedial measures to be taken etc.

The company needs to now budget the cost of providing a “Identity theft Protection” to the 18 crore affected data principals. They can thank their stars that there is no DPA to breath down their neck. The CERT In is a more accommodating regulator and could be satisfied with the press statements that “No adverse impact has been there on the customers”.

Surprisingly the stock market has not reacted to the possible consequences of the breach in financial terms. The company has to come out with its annual report and being a listed company the listing requirements mandate that the CFO and the CEO disclose the financial impact of the breach in the balance sheet.  The Stock markets also should expect a report.

In the event Jubilant has paid ransom in the form of Bitcoins, it would be necessary to account the source of the payment made for the purchase of Bitcoins and since the Bitcoin transfer would have happened through one of the Indian Bitcoin exchanges , the top Bitcoin Exchange companies in India need to be subjected to transaction audit to identify the destination of the bitcoin payments.

Since most of the Bitcoin lobbyists claim that they are law abiding and Bitcoin is not a currency of criminals, they should be cooperating the Police in investigating if any ransom was paid and if so how.

It is also time for Cyber Insurance companies such as Tata AIG to structure a policy for “Protection of Identity theft consequences of customers of a Company which suffers a data breach”.

Naavi’s Ujvala Consultants has a policy incorporated in its model data breach management policy that “The possibility of obtaining a cyber insurance to cover the risks of the affected data principals shall be explored”.

I urge organizations like FDPPI to develop in their code of practice for handling data breach incidents which includes purchase of a Cyber Insurance policy to protect the affected customers.

Let’s watch further developments.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.