Domino's Pizza in Australia, trading as Domino's Pizza Enterprises (DPE), is investigating reports from customers that their email addresses have been spammed with strange emails naming the store suburbs they have previously ordered pizza from.
According to its website DPE is the largest franchisee for the Domino's Pizza brand in the world and holds the exclusive master franchise rights for Australia and six other countries including Japan and Germany.
Since yesterday, customers have posted on the Domino's Facebook page and on Reddit stating they have been receiving spam emails from someone named Sarah or Jess, with information derived from their Domino's orders.
"They all know my name, email address and places close to where I live," one user posted on Reddit. "Those places turned out to be Domino's stores I've ordered at."
There were similar reports from customers in New Zealand earlier this month.
When BuzzFeed News contacted Domino's about the issue, a spokesperson provided a statement that indicated that the "potential issue" was with a former supplier's system.
"We are investigating a potential issue with a former supplier’s systems that may have led to a number of customer email addresses, names and store suburbs (related to pizza orders) being accessed as a result," the spokesperson said.
"Domino’s acted quickly to contain the information when it became aware of the issue and has commenced a detailed review process."
The spokesperson said that "ongoing testing" had confirmed Domino's own systems were not compromised, and credit card details and passwords had not been accessed or compromised.
"Domino’s confirmed customers do not have to update passwords or details but recommends they don’t click on any links contained in the spam material, mark the emails as spam, and ensure their virus protection is up-to-date," the spokesperson said.
The company spokesperson said Domino's was working with the Office of the Australian Information Commissioner (OAIC) on potential privacy issues.
The mandatory data breach notification law passed in Australia earlier this year, which may have required the company to inform the OAIC of the breach, does not come into effect until February next year.
Domino's is encouraging customers receiving spam to contact the company on its Facebook page.
The Office of the Australian Information Commissioner said in a statement that companies were required to take steps to ensure the protection of personal information handed over to third parties, such as in the Domino's case.
"Failure to take these steps could lead an organisation to be in breach of the Privacy Act and potentially subject to penalties," the spokesperson said.