Domino's India on Hackers' Menu; CISOs React


A Turkish hacker group attacked the website of one of the world's largest fast food pizza companies, Domino's India, a couple of days back.

According to reports, the group known as TurkishAjan got access to over 37,000 account details from the website dominos.co.in. The leaked details contained complete personal details of customers like addresses, names and telephone numbers.

Jubilant FoodWorks Limited and its subsidiary operates Domino's Pizza brand with the exclusive rights for India, Nepal, Bangladesh and Sri Lanka.

As reported, the website was hacked using the SQL injection method and remote file inclusion, one of the most common methods for stealing private data from web databases.

The company has yet to confirm or respond to these reports. 

Being a regular Domino's Pizza customer, this news is a shock to me, as it will be for thousands of others customers. 

DynamicCIO asked a couple of Chief Information Security Officers (CISOs) on how the attack on Domino's website could have been averted.

Pawan Kumar Singh, CISO, Tulip Telecom opines that a majority of such incidents occur due to either lack of basic hygiene or inadequate/weak security practices. "Basic hygiene in terms of computer systems includes appropriate patch management, user ID controls, blocking of unused ports etc. From the network perspective, an effective firewall / IPS management should be present. A robust incident management system also helps in quick and controlled actions to act under such situations," he says.

What could be the extent of the damage for thousands of these customers in such kind of attack?

"As a common practice, many people tend to re-use their password across portals. So there is a high possibility that the affected customer's Domino's account password is same as their registered email passwords," says Dilip Panjwani, Information Security Compliance Officer at Kotak Mahindra Bank.

He adds that the emails could have sensitive information such as a bank / trading account statement, social networking account details, etc., which again could contain the same password. "In some cases, it has been observed that users tend to store their account details with password in their email accounts for reference. In case of such customers, the extent of damage can be higher," Panjwani says.

CISOs state that companies need to have reasonable security practices in place to protect customer information. Failing to do so, they can face legal suits as per the IT Act 2008. It can also lead to compensation for the affected users.

"We need stringent laws and regulations that compel organizations to comply. As of now it is effective only in BFSI, and telecom sector. It has to be made mandatory for all business types. It will at-least reduce the number of such incidents, if not eliminate," says Manish Dave, CISO, Essar Group

According to the Norton Cybercrime Report 2012 released yesterday, in the past 12 months 56 percent of online adults in India have experienced cybercrime, (more than 115,000 victims of cybercrime every day, 80 victims per minute and more than 1 per second) and the average direct financial cost per victim is USD 192, up 18 percent over 2011 (USD 163). The report revealed that 66 percent of Indian online adults have been victims of cybercrime in their lifetime.

CISOs take learnings from this incident, and offer some advice

-- If an attack has not happened on your company site till date, do not assume it will not happen at all. An open vulnerability on an Internet facing website can be exploited by anyone as the site is openly accessible from the World Wide Web. Web application firewalls (WAF) is required at perimeter level to detect and block all known attacks for existing / open vulnerabilities on the sites. However, WAF itself has some limitations, and therefore cannot be considered as the final solution. Lastly, security is an ongoing journey and not a destination.

-- Credit card companies should come forward with a solution that ensures that future transactions are authentic and made only by the owner of the credit card. They should also apprise all customers of the incident, and request them to report doubtful transactions.

-- CIO/CSOs of non-BFSI sector are having a tough time running the show. They know the risks, and they highlight them to convince the management to invest in essential security controls. Unfortunately, non BFSI organizations are driven by finance departments (particularly in a 'recession like' scenario), and hence end up having weaker security infrastructure. When a breach occurs, the CIO or the CISO gets the axe. 

Categories: Technology

About Author

Orange Themes

Ashwani Mishra

Ashwani Mishra is a former Executive Editor at DynamicCIO....

Read more

Write a Comment

Your e-mail address will not be published.
Required fields are marked*

*

Recent Comments