A group of hackers calling itself ‘Rex Mundi’ claims it has breached vulnerable servers belonging to Domino’s France and Belgium, stealing the sensitive information of nearly 600,000 customers. The group is demanding a payment of €30,000 from Domino’s in exchange for information about the vulnerability they exploited and the records they made off with.
Domino’s vice president of communications Tim McIntyre confirmed the attack in an email interview with Threatpost, but emphasized that the breach only affects customers in France and Belgium and that no financial data was exposed. He also confirmed that the hacker group contacted Domino’s in France demanding payment in addition to making threats via Twitter. McIntyre says the company has no intention of paying the group any money.
The Rex Mundi Twitter handle has been suspended, though it is not clear if that move is related to the attack or the threats allegedly made.
“No customer credit card or financial information was compromised, as their system is a bit outdated and does not accept credit card orders,” McIntyre told Threapost. “Plans were already in place to have the system roll over to the platform we use in the U.S. This does not affect any market outside of France and Belgium. The site has been secured.”
A terse search through past headlines reveals that Rex Mundi – which translates literally from latin as ‘the king of the world’ – has a history of claiming hacks of various organizations and demanding ransom payments from them.
The group claimed in a dpaste.com entry that has since been removed that it made off with 592,000 Domino’s customer records, primarily from France with nearly 60,000 of those records belonged to Belgian users.
The stolen information is said to contain customers’ full names, addresses, phone numbers, email addresses, passwords, delivery instructions, and favorite pizza toppings.
Rex Mundi says the sites are still vulnerable, though Domino’s claims this is not true. The hacker group says it will make the information it has stolen public by 8 PM CET (2 PM EDT) if it does not receive payment.