France and Belgium Domino Pizza password database was stolen by the hackers of Rex Mundi. They require a 30,000 euro payment to avoid disclosure. Well, Domino Pizza went to police, so the 592,000 French and 58,000 Belgian customer records will be in the open tonight.
What is interesting though? This is 2014. Do you know what they used to store passwords? They used MD5 without salt or stretching. Like if the previous 20 years never happened in their computer universe. We keep reiterating the good ways of storing passwords over and over again and nobody listens.
Domino said in a statement: ‘The security of customer information is very important to us. We regularly test our UK website for penetration as part of the ongoing rigorous checks and continual routine maintenance of our online operations.’
I can feel sympathy to the challenges of securing a large network where you have to get many things right. If you only do penetration and ignore all the other things, you will end up with a false sense of security. Judging by them not knowing how to store the passwords, that’s exactly what happened. Penetration testing can supplement but never replace an all-encompassing security program.
The only upside is that Domino apparently stored credit card details separately and the financial data has not fallen into hackers’ hands. So, that’s good.
More: at The Guardian, Daily Mail, The Register.