Since February 2, 2011, I've ordered from Domino's Pizza on 60 separate occasions.
My favourite pizza? BBQ chicken and rasher bacon, of which I ordered 96 servings.
I also ordered 72 Belgian chocolate lava cakes (the timing of which, unsurprisingly, corresponds with weight gain I have since thankfully reversed); four "battered bananas"; nine 1.25L Cokes; 12 cheesy garlic breads; and much more which I am too embarrassed to share.
How do I know all this? From cataloguing each purchase? No, of course not (but maybe I should have). It's because this is the data Domino's has stored about me.
And you know who else might know about my evening snacking habits? Hackers.
Based on what is currently "known" to Domino's, it "believes" that only a "small part" of the total information it stores about customers was "accessed" by hackers.
For the first time, Domino's has revealed that store names you ordered from, customer order names (if provided), and customer email addresses for orders were accessed as part of the breach that Fairfax Media first reported on in October, when Domino's revealed it had been subjected to a breach that resulted in customers receiving spam emails.
The key word being "accessed", a term used by many companies that have been breached by hackers to hide the fact that they may have also "exposed" other information to hackers, but that it was not "downloaded" (as far as they know).
As someone recently pointed out to me, that's like saying, 'We left a binder of your personal information on the footpath and no one photocopied it. That we know of'.
Whether or not further data was exposed — such as your midnight snack order list, home address, mobile number, and more— is yet to be known.
However, personal data released to Fairfax Media under Australian privacy laws shows that Domino's stores and retains for several years a whole host of information about you beyond your email, name, and the store address you ordered from.
It turns out Domino's also stores your mobile number, payment method (credit card versus cash), IP address, email address, name, order date, order address, delivery instructions, delivery type (pickup versus delivery), the products you ordered and their price, the vouchers you used, and any feedback you left.
In an email to this author on Monday, after several automated email responses, Domino's finally came clean about what data it believed had been stolen, as well as the data it has stored about its customers.
"Please find enclosed an Excel spreadsheet containing a customer data summary relating to your email address, as requested, and in accordance with our obligations under the Privacy Act 1988," Domino's privacy officer wrote on Monday after this author threatened to take Domino's to the Australian privacy commissioner.
"The spreadsheet … contains the information that we hold about you and does not represent the information that may be subject to the spam incident. We currently believe that only a small part of the total information was accessed, being order name, store name and order email address," the privacy officer said.
"This is the type of information that is contained in an online rating system managed by a former supplier which suggests this may have been the source of the information.
"We are continuing to investigate this."
The privacy officer further added that Domino's and Silvio's Dial-A-Pizza Pty Ltd (the operator of its Pizza Mogul platform) "collect, hold and use information in accordance with law". Pizza Mogul is Domino's online platform that lets you create your own custom pizzas and promote them via social media to "make easy money".
"Please note that investigations into the unauthorised spam incident so far confirm the Domino's systems are secure and your payment information (we do not store your credit card) and passwords have not been accessed or compromised," Domino's said, before adding that "no account information or passwords have been accessed".
According to Domino's, customers do not have to update their Domino's account passwords. "However, we recommend that you do not reply to any spam emails that you may receive or click on any links or attachments contained in the spam emails.
"We also recommend that you mark the emails as spam and ensure your software and anti-virus protection is up-to-date."
So far people have only received annoying spam emails as part of the breach.
Typically these take the form of "Tim, it is Sarah, are you in Rozelle?" or "What's Up? Tim, it's Jess from Rozelle, my new email address".
Though there's nothing in the emails to tie the data to Domino's, a Reddit user detailed his experience on r/Australia, claiming he recognised the suburbs as places he had ordered Domino's from.
Whether the breach went further is not yet known and will unlikely ever be known unless a hacker begins using it for ID fraud or Domino's uncovers new information in logs that reveal further information was accessed.
In the meantime, the company has no obligation under Australian law to notify customers of the breach. That all changes February next year, with fines of up to $2.1 million (recently increased from $1.7 million) being levelled against those who act negligently and don't notify breached users.