Domino’s Australia customer data has been leaked, and Australians are receiving spam emails from scammers as a result.
At a minimum, the scammers seem to know the customers’ name, email address and the store where they purchased pizzas. The result is that pizza customers have been receiving phishing emails that look legitimate, addressing them by first name and mentioning their local suburb in an attempt to provoke a reply.
In an undated statement not listed on the Domino’s Australia media page, Domino’s blamed a “former supplier” for the privacy breach and insisted there was no “unauthorised access” to its systems.
“Domino’s apologises to customers who may have received any unsolicited emails as a result of this unauthorised access through the former supplier and recommends customers do not engage or respond to these emails,” the company stated.
While not disclosing when it first became aware of the issue, Domino’s stated it “acted quickly to contain the information” and that an investigation into the breach was under way.
Passwords and payment information had not been leaked, according to the company, and there is no need for customers to reset their passwords.
Business Insider first received a spam email in late September from a person named “Sarah” (without a surname) that addressed the recipient by first name, in an effort to solicit a reply. The email also contains a reference to Rozelle, a Sydney suburb that contains a Domino’s store.
A follow-up email from “Sarah” a week later also tries to provoke a response by asking whether the recipient is also in Rozelle. The two spam emails are supposedly sent from two completely different email addresses, although they’re likely to be fake.
Some Domino’s customers that have received similar emails have described them on social media as “eerie” and complained that the company’s response to the privacy breach was inadequate:
@Dominos_AU Why am I getting Dear Jess emails & why didn't you disclose massive breach?? PR fail. Wouldn't've been angry if u'd disclosed ??
— FortaFraud (@fortafraud) October 17, 2017
Domino’s Australia declined to name the former supplier responsible for the breach, but stated its relationship had ended in July this year.
Business Insider has contacted Domino’s Australia for further details.
The data leak first went public in New Zealand earlier this month, with the same spam emails from “Sarah” also going out to customers in that country. Local news site Stuff.co.nz reported customer Luke Chandler, who last year ordered pizzas using the alias “Professor Chandler” from the Mount Maunganui store, receiving spam emails asking Professor Chandler if he was from Mount Maunganui.
ASX-listed Domino’s Pizza Enterprises owns the Domino’s franchise rights in both Australia and New Zealand, as well as France, Belgium, Netherlands, Japan and Germany. In 2014, hackers threatened to expose the data of more than 600,000 French and Belgian customers unless a 30,000 Euro ransom was paid.
Explains a few of the emails that got caught by my spam filter…
— Jess Dodson (@girlgerms) October 17, 2017
Please contact us on [email protected] so we can answer any questions you have and provide you with a team member to speak.
— Domino's Australia (@Dominos_AU) October 17, 2017