Some Domino's Australia customers have been receiving very strange emails after their details — including name, email address and their favoured local pizza shops — have apparently made their way into the hands of cyber crooks.
Since at least late September, customers have been sent phishing emails from seemingly randomised email addresses, using their names and the suburbs of Domino's stores in an attempt to prompt a reply.
Typically these take the form of "Tim, it is Sarah, are you in Rozelle?" or "What's Up? Tim, it's Jess from Rozelle, my new email address".
Though there's nothing in the emails to tie the data to Domino's, a Reddit user detailed his experience on r/Australia on Tuesday night, claiming he recognised the suburbs as places he had ordered Domino's from. He said he contacted the company and was told a Domino's supplier, which was passed user data in accordance with the policy customers agree to when using its online services, was breached.
A similar story emerged in New Zealand earlier this month, when a customer that used a joke name when ordering Domino's started getting scam emails addressed to that name.
Since the Reddit post, customers have taken to social media to express their displeasure that Domino's had not contacted them about the potential compromise of their details, even though the company knew about it. Many had noticed the emails, but did not know how their details were acquired by the scammers.
In a statement posted on its website, which is undated and doesn't appear to be accessible from the main site, Domino's confirmed it has cut ties with the company that appears to have been breached.
"Domino's takes the security and privacy of customer information seriously and there is no evidence to suggest that there has been unauthorised access to Domino's systems," the statement says.
"We are investigating a potential issue with a former supplier's systems that may have led to a number of customer email addresses, names and store suburbs (related to pizza orders) being accessed as a result."
The company says it is working with "industry best" security experts to conduct a detailed review process, and has already "put in place immediate steps to prevent this from reoccurring". It reiterates that no financial information or passwords were compromised, and suggests customers contact it on Facebook or via a feedback email address if they're concerned.
Fairfax Media received an identical statement when it reached out to Domino's for clarification on the nature of the supplier company, and to inquire whether it intends to disclose the data leak to its customers directly.
Paul Kallenbach, partner at law firm MinterEllison, said that companies were not necessarily required by law to notify customers if their data had been compromised.
"In this country we don't yet have mandatory data breach disclosure laws. We will have those laws from February 22 next year. The act has been passed but is not in effect," Mr Kallenbach said.
"Bottom line at the moment is that the regime is voluntary, so it's really up to them as to when they disclose."
Mr Kallenbach said that the privacy commissioner has a view that timely notification of data breaches was part of a company's responsibility to reasonably protect customer data, but that in reality the number of breaches declared was "an order of magnitude out" from the number of actual breaches.
It's unclear whether Domino's would be required to disclose this particular breach under the forthcoming laws, as the nature of the supplier company that was handed the data is unknown. Mr Kallenbach said that if the company was a sub-contractor or was using the data, or example, to conduct marketing on behalf of Domino's, Domino's would be required to declare under the new laws.
Domino's Australia has been in the news for all the wrong reasons this month, with news of this data leak preceeded by claims the company has infringed on GPS location-tracking patents, and ongoing legal proceedings about the below-award wages it pays its workers.