Customer raises data breach question as Domino's spammer returns

The annoying Domino's spammer known as "Sarah" has returned, and a Christchurch customer is asking if it means a fresh data breach.

But the pizza giant maintains there have been no new security incidents.

Last October, a wave of customers were emailed by "Sarah" after ordering a pizza at Domino's.

The ASX-listed company said a third-party supplier to its Australia and New Zealand operation - since terminated - had suffered a data breach.

After that 2017 incident, Domino's emphasised that although email addresses had been spilled by its supplier, customers' other details - such as credit card numbers - had not been leaked. There was no need for customers to change their passwords. There had been no breach of Domino's own systems.

The ASX-listed company reported the data breach to NZ Privacy Commissioner John Edwards.

One of those affected in October 2017 was Luke Chandler, managing director of retail power startup Mad Energy. Chandler ordered a pizza from Domino's Mt Maunganui. Shortly after, he received an email from "Sarah" asking him to confirm if he lived at the Mount.

Chandler - now in Christchurch - told the Herald he ordered a Domino's pizza online for the first time in months last week on September 16, from the chain's Ilam store. On September 21, he received an email from "Sarah" asking him if lives in Ilam.

On online forum Reddit this morning, nine people said they had also received a new email from "Sarah" recently.

However, Domino's New Zealand general manager Cameron Toomey says "Domino's can confirm that the reported incidences are not a new data breach."

He adds, "A year ago, Domino's reported that a number of customers had received unsolicited emails from unknown third parties addressing them by their name and referencing the suburb they live in. This is the type of information that is contained in the online rating system managed by a former supplier, which suggests this may have been the source of the information."

He reiterates that no financial or password data was compromised.

"Domino's takes the privacy of our customers very seriously. We also understand how frustrating receiving spam emails can be and we want to thank our customers for their patience and understanding," Toomey says.

"We advise customers to never respond to an email if they do not recognise the sender. If customers receive an unsolicited email from a third party asking them to confirm their suburb do not respond. We appreciate that such direct questioning can be confronting. However, this email has been designed by a spammer to encourage individuals to respond in some way."

A revamp of the Privacy Act, currently making its way through Parliament, will make it mandatory for organisations to report a data breach.