Domino’s Australia chief executive Don Meij said an online ratings system was the source of a customer data breach.
Business Insider on Wednesday reported scammers had possession of Domino’s Pizza customer data. The stolen data was then used to send phishing emails to pizza customers that look legitimate, addressing them by first name and mentioning their local suburb in an attempt to provoke a reply.
The spam emails showed the senders at least knew customers’ names, email addresses and the stores where they bought pizzas.
In an update to customers, Meij still refused to name the former supplier responsible, but narrowed down the possibilities by saying it had matched the stolen data with a particular subsystem.
“This is the type of information that is contained in an online rating system managed by a former supplier, which suggests this may have been the source of the information. We are continuing to investigate this,” said Meij.
“We understand that receiving an unknown email from a third party asking these details in this manner can be confronting and we share your concern about this.”
Meij added that “dedicated webpages” about the breach had been set up for Australia and New Zealand, although at the time of writing there was no direct mention or link to this on the Domino’s Australia homepage. You can find it here.
Domino’s had previously stated its relationship with the supplier had ended in July and that no “unauthorised access” to its systems had taken place. It would not say how many customers were affected by the incident.
The unsolicited emails have caused anger on social media from customers worried that personal information is now in possession of parties with foul intent. Many customers also complained that Domino’s only acknowledged the breach after it was publicly exposed.
Business Insider first received a spam email in late September from a person named “Sarah” (without a surname) that addressed the recipient by first name, in an effort to solicit a reply. The email also contains a reference to Rozelle, a Sydney suburb that contains a Domino’s store.
A follow-up email from “Sarah” a week later also tries to provoke a response by asking whether the recipient is also in Rozelle. The two spam emails are supposedly sent from two completely different email addresses, although they’re likely to be fake.
US credit information company Equifax, which last month suffered a massive privacy breach that may have exposed up to 143 million peoples’ data, was in March named Domino’s Australia’s business partner of the year for marketing services.
The update narrowing the leak down to an online ratings system seems to eliminate Equifax as a culprit. Domino’s Australia has maintained from the start that financial information was not compromised.
ASX-listed Domino’s Pizza Enterprises owns the Domino’s franchise rights in both Australia and New Zealand, as well as France, Belgium, Netherlands, Japan and Germany. The current privacy breach was first uncovered in New Zealand at the start of the month.
In 2014, hackers threatened to expose the data of more than 600,000 French and Belgian customers unless a 30,000 euro ransom was paid.