A recent security breach at Domino's Pizza restaurants in France and Belgium has left the restaurant with a black eye -- and a ransom demand.
After personal data for 650,000 Domino's customers were stolen last week, those claiming to be behind the e-heist are demanding that the company's France unit pay €30,000, or roughly $40,700, according to Reuters. If the ransom is not received, they say they will publish the data on the Internet.
The group, which calls itself Rex Mundi, Latin for "king of the world," said the information includes full customer names, addresses, phone numbers, email addresses, passwords, delivery instructions and favorite pizza toppings. The data breach involves 592,000 French customers and 58,000 from Belgium.
In 2012, the same group exposed data on thousands of customers after payday lender AmeriCash Advance refused to pay them between $15,000 and $20,000.
Domino's told a Dutch newspaper that it would not pay the ransom, and emphasized that credit card numbers and other financial data had not been lost. However, the release of personal data can still expose consumers to identity theft, particularly if people use the same email and password to identify themselves at other sites. Domino's has advised customers to change their passwords.
This isn't the the company's first brush with security problems. In 2012, Domino's Pizza India saw its website compromised. In that instance, hackers posted names, email addresses, phone numbers and passwords of 37,000 customers.
The use or threat of cyber-attacks for extortion also isn't new, although companies rarely discuss such schemes. Rumors have circulated for years of companies that paid to keep from being electronically attacked.
Online note-taking system Evernote and newsreader Feedly have both been recently attacked. Feedly admitted that the people responsible demanded payment to stop the attacks, although the company said that it refused.
Russian police also recently arrested two people accused of electronically locking Apple mobile devices in Australia and in the U.S. and then demanding payment from individuals to release them.
Companies face multiple problems when faced with such extortion threats. Pay up and you run the risk of being seen as an easy target in the future. Refuse to cooperate and a downed website or release of personal information could have a negative impact on business and customer perceptions.
And all of that assumes the payment demands come from the same people actually perpetrating an attack. Scammers could easily claim to be in charge, take money and then skip off, leaving the target company in the same straits as before.