Breach in Domino’s and Air India Data ! Complete Case Study

Have you ever ordered home delivery of pizza from Dominos? Or have you ever taken an Air India flight? If you’ve answered yes to either of the questions, then there is a very high chance that your personal data has been leaked on the internet. By personal details I mean your name, phone number  address, passport details, and even your credit card numbers.

This news is, again, not being adequately covered by the mainstream media. Let’s find out what happened exactly and how you can protect your data, if something like this happens in future again. Dominos is probably the largest pizza delivery company in India and Air India is the most renowned airline. There have been big data breaches in these two companies.  

What is a Data Breach?  

The companies like Domino’s and Air India have a database of customers. Like, when you order pizza from Domino’s, you use your phone number to call them and they store your phone number. That this number, used by this person, ordered pizza to be delivered to this address. On 16th April 2021  a Co-Founder of an Israel-based cyber-crime intelligence company found that some hackers had claimed in a post to have more than 13TB of data from Domino’s, which included 18 crore orders from year 2015 to 2021.

Hackers had demanded approx ₹4 crore for this data. And when no one bought this data, they put it up publicly on the internet so that anyone can access it from a search portal. One only needs to enter the mobile number or email address on the search portal  and all the information connected to it will be displayed below.

How many times have you ordered pizza from Domino’s in the last 6 years? How much did you spend on these orders in total? What is your linked email address or mobile number? What is the value of the individual orders? What is your delivery address? With precise latitudinal and longitudinal information the exact location of your house and the dates and times of the orders can be found from it.

All this information look somewhat like this and  for now, the credit card details of the people have not been published online. But the hackers claim that they have more than 1 million credit card details and they will publicly publish them soon.  In April when this data was available only on the dark web, then Domino’s had responded with this statement that “No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact”.

Domino’s meant that their business was not affected by it. Because, obviously, why would it have affected their business, it was the customers’ data that was stolen.  “As a policy, we do not store financial details  or credit card data of our customers, thus no such information has been compromised”. If Domino’s is to be believed, they do not have saved the credit card data of the customers, but the hackers claims that they have the credit card details. Who is to be trusted? Can’t say.

How you can be scammed by fraudsters?

Now the question may arise, how does the data being published on the internet affects you? Some people may find out the address of your home. Some may find out your phone number, but this might not seems to be threat, right? I’ll tell you how this will affect you. This can be used to scam you very easily.

Several scams are often seen that are termed as OTP Scams. The fraudster would call you and say “Hello, am I speaking with XYZ?”  And I’d reply, “Yes” , “Do you reside at this address?” I’d say “Yes”. They’d say that they’re calling from XYZ bank to confirm whether you’ve received this OTP or not. Now, if they have your name, address, credit card details, you’d think that  you can trust this person. Since they already have all the data they might really be calling from the bank. And you’d give them your OTP to “confirm”  And they’ll withdraw money from the bank account.

There have been numerous such scams in reality, where the personal details of the people were used to fraud them. The real problem with this is that, if a scammer has your full name, address and phone number  and they talk to you very professionally, it becomes easy to fall for his tricks. If a person has so many details about you, while talking you’d feel that they are indeed calling from the bank. Otherwise, how would they have known so much? And then you’ll get trapped.

This is just one way, but in reality there are numerous ways to scam you using your personal data. Other than this, your personal data may be misused for putting up fake advertisement to send spam messages on your phone number. The useless advertisement messages that you get on daily basis. Often the hackers sell the data to a big company and those companies use it to fill your phone with spam.

Let’s  look at the data breach of Air India too. In the data breach in Air India  the data from year 2015 to 2021 has been leaked of more than 4.5 millions of Air India’s customers. Their name, date of birth, contact information, passport information, ticket information, frequent flyer number of Air India, and lastly credit card data has been leaked.

Even if the credit card data is leaked, it doesn’t mean that because of this leaked data, these hackers will be able to use your credit card to buy anything online. This isn’t possible because there is a CVV number at the back of the credit card and this CVV number is not stored in the databases. Sigh of relief, you don’t have to worry that any person can make any purchase using your card.

But even then, the credit card numbers being leaked is still a huge deal. As more information leaks, it would make things easier for the scammers and fraudsters to fool you and scam you. Air India has taken some steps as its response and have secured the compromised servers. And they have notified the credit card issuers to take preventive measures.  

In the last few years, countless data leaks have been seen in our country from different companies. Aadhar data was leaked in 2019, data of JustDial company was leaked in May 2020, Unacademy, BigBasket, MobiKwik had a data breach recently. There have been so many data breaches in India  and if we look at it from the perspective of the government and its responsibility, they have not made any proper Data Protection Law in India.

In the European Union, there exists a very strong GDPR(General Data Protection Regulation) Law. This law held the companies  accountable whenever there is a data breach and directs them to collect minimal data from the people. It means that only the data that the company absolutely needs can be collected. Any additional data should not be stored in their systems. On top of it, the data being stored should be deleted after a certain amount of time and even at the request of the customers.

But in India, if you want to  ask the companies to delete your data from their servers, Is it possible to do this? A few companies have put up some options, but mostly hidden. That if you want, you can get your data deleted from their database. Even then, the companies who have given this option take weeks to delete your data. 

What you can do to secure your data?

How you can secure your data? To keep your data secure, whenever you’re putting in your data online, try to minimize it. Whenever a website asks for your personal information, you don’t have to give more data than required. You might have noticed those stars, right? Those are required field, you need to put in your full name, email address. Many of the times the phone number fields are optional, you need not fill it. You don’t have to give them any more data than required.

Often while filling in your credit card details online there is an option at the bottom of the website  ‘Save this credit card information for future purposes’. Meaning that website will save your credit card details  so that when you use that website in the future  your credit card information would be easily available on the website  and you needn’t type it in again.  Several websites have this option nowadays.

Do not choose this option ever, it means that the website will be saving your credit card details. Third, do not use the same passwords while making accounts on different websites. If one website’s data is breached, then the hackers will get your passwords. And if you’ve used the same password somewhere else  it will give the hackers access to the other accounts.

If there is a data breach in Facebook, hackers will get to know your Twitter, Instagram and other passwords. That’s why use different passwords. By different passwords, I do not mean  that you use 123456Domino’s as password for Domino’s  and 123456AirIndia for Air India. These hackers are more intelligent than you think. He can analyze the pattern. Once he observes that you’ve used 123456Domino’s as the password, he’ll easily figure out that for Air India you would’ve used 123456AirIndia.

Hence, either avoid this or preferably use completely different passwords. The more complex and long the password is, the more it becomes difficult for hackers to guess. This is why it is better to use password managers which is in-built in iOS iPad and iPhone. Use that password manager that is suggested by the phone. They suggest very complex and long passwords, having a combination of various letters and symbols which no person can actually remember. Fourth, while browsing on the internet  always use a VPN to keep your location data secure. 

Nowadays, many of the websites, if not all,  know your location through your IP address. Your IP address reveals your location as these websites often store this data. The country and the region you’re visiting the website from, is known to them. How we can avoid being tracked? Here comes the role of a VPN a Virtual Private Network which extends a private network across a public network.

It allows users to send and receive data across shared or public networks as if their devices are directly connected to a private network. This is how VPN hides the IP address of the users and prevent them from being tracked. Popular VPNs availble on the internet are HotBot VPN, NordVPN, SurfShark VPN, PrivateVPN, etc.

Now coming to the event where the scammer applies a Brute Force method to get access to the user’s data. Suppose, if you get an SMS saying that  ‘the wrong CVV was entered’  or ‘wrong pin entered’ then take that SMS seriously. People often take them casually, which may prove to be catastrophic. Individuals who respond instantly to a WhatsApp text usually ignore important SMS like this.

If this happens, inform your bank  and block your card. It means that someone has the rest of your credit card details  except for the CVV, and it costs you hard if it gets into their hand. It is also possible that they guess it right either. Following this, the most important point is, when you get a call from someone asking for any OTP that you may have received, saying that they’re calling from a bank or some other place. Do not believe them, never share your OTP with anyone. The OTP is meant only for you. Next, whenever you make an account on a website or enter your password often the website asks for security questions.

The security questions can be like ‘What is the name of your pet?’,  ‘What is the maiden name of your mother?’  Answers to these questions can be easily found on social media nowadays. Please pay attention to these security question and do not use such answers that can be publicly seen on your social media. Nowadays, people share such information on social media  that are the answers to those security questions.

Other than this, always keep the operating system of your phone and software of your computer updated to the latest version. The older versions are often lacking or have loopholes,  that can be accessed and exploited by hackers.

Whenever you visit a website check its URL. Does it begin with HTTPS? Or only HTTP? The ‘s’ letter is a very important letter, ‘s’ means secure. The websites beginning with HTTP  are not secured, so you shouldn’t visit them. The websites beginning with HTTPS are secure websites. Even my website begins with HTTPS, whenever I do visit any website I try to take all of these into consideration.

Summarizing all these points, you should always remember, nothing is free in this world. Many websites collect your data, tempting you by being ‘free’. “Look, you’re getting this for free, come give us your data”. The biggest example of it is probably Facebook. That collects your data and the data is later sold. So technically those things aren’t free, you’re giving your data to the websites, in return providing services for ‘free’.

At last, I’d like to say that the tips that I gave you do not guarantee that your data will be 100% secure, but will surely help to keep your data safe to a large extent. At the end I would say, it is the Government’s responsibility that they make stronger rules and regulations for the companies to behave responsibly with your data.

Leave a Reply

Your email address will not be published.