Domino's India Delivered 180 Million Orders. It Also Delivered Them to a Dark-Web Marketplace.
In May 2021, 180 million Domino's India order histories, including names, addresses, and GPS coordinates, surfaced on a dark-web marketplace for $540,000. We read the breach against the DPDP Act.
Domino's India delivered 180 million orders. In May 2021, it also delivered 180 million order histories, names, phone numbers, delivery addresses, and GPS coordinates, to a dark-web marketplace. The asking price was $540,000.
Location data is not ordinary PII
A delivery address tells you where someone sleeps. GPS coordinates tell you when. 180 million orders across years of history tells you everything else: household size, income bracket, dietary patterns, and medical conditions inferred from food choices.
Under §8 and Rule 6, this is precisely the data that triggers heightened obligations: reasonable security safeguards proportionate to the sensitivity of the data being held. An earphone purchase history is not equivalent to a home address logged 47 times, and the safeguards should not be equivalent either.
Gap 1: Retention without a purpose ceiling (Rule 8)
Order history beyond three years of inactivity has no operational purpose. Retaining it indefinitely creates liability without benefit. Rule 8 requires defined erasure schedules; "we keep it for analytics" is not a schedule.
Gap 2: No breach disclosure (Rule 7)
Jubilant FoodWorks, the operator of Domino's India, did not formally acknowledge the breach in any public regulatory communication. Under Rule 7, a breach affecting 180 million records triggers mandatory Data Protection Board notification within 72 hours of awareness, not after customer discovery and not after press coverage. Awareness starts the clock.
Gap 3: The GPS problem (§6)
Location data collected for delivery is purpose-specific: get the order to the door. Using that location history for any downstream analytics or profiling requires fresh, itemised consent under §6. Storing it indefinitely without a declared secondary purpose is a purpose-limitation failure.
The takeaway for delivery and food-tech founders
Your delivery address database is your biggest DPDP exposure, not your payment data. Payment data has decades of security infrastructure behind it. Address, GPS, and order history combined have almost none.
Every delivery app in India is sitting on the same exposure Domino's had in 2021. The DPDP Act now gives that exposure a ₹250 crore ceiling. Our DPDP compliance checklist covers retention schedules and breach playbooks in the order that matters most. Run a free Compliance Score below to see where your own policy stands.
Frequently asked questions
What happened in the Domino's India data breach?
In May 2021, security researchers reported that a dataset attributed to Domino's India, comprising roughly 180 million order records, including names, phone numbers, addresses, and GPS coordinates, was offered for sale on a dark-web marketplace for $540,000.
Is GPS delivery data covered by the DPDP Act?
Yes. GPS coordinates collected to complete a delivery are personal data under the DPDP Act and are purpose-specific to that delivery. Using or retaining that location data beyond the delivery purpose requires a separately declared purpose and fresh consent under §6.
How long can a delivery app retain order history?
The DPDP Act does not set a fixed number for every sector, but Rule 8 requires a defined retention period per data category. Order history with no operational use after a period of inactivity, commonly benchmarked at three years, should have a defined erasure schedule rather than indefinite retention.