Governance & Risk Management , Incident & Breach Response , Privacy
FreshMenu Hid Data Breach Affecting 110,000 UsersCEO Took Two Years to Acknowledge Incident
FreshMenu, a food delivery provider based in India, has come under social media attack for keeping under wraps a data breach two years ago that exposed the personal information of over 110,000 users.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The incident originally was brought to light in 2016 by data breach tracker HaveIBeenPwned, which discovered that the breach exposed names, email addresses, phone numbers, home addresses, and order histories, the Times of India reported on Wednesday. That news report led to the strong response on social media.
#FreshMenu ! Don't you have any ethics? Atleast we should have been informed and asked to change our passwords.— Pratibha Gupta (@Pratibh45533273) September 12, 2018
#FreshMenu Trust broken. Uninstalled...— amit singhaniya (@asinghaniya) September 12, 2018
Troy Hunt, who runs HaveIBeenPwned, says he had informed FreshMenu back in July 2016 that the breach had taken place, but the company decided not to notify impacted customers.
Rashmi Daga, founder at FreshMenu, has admitted to concealing the breach from customers.
"In that moment, we believed that the since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen," Daga says. "I owe every user of FreshMenu a sincere apology for the breach and for not addressing this matter proactively. Trust is integral to the relationship we share with you, and we regret the event that led to this trust being compromised."
The breach did not lead to the theft of money or bank account details, Daga says. "At no point during this time was information such as user passwords or payment-related information, breached," she says. "We have always worked with secure payment partners to store payment information in PCI DSS compliant systems on their side, and that is absolutely safe."
On Wednesday, Daga addressed the issue via an email to customers. "It is clear in hindsight that we could have communicated this information to our users at that time," she said.
In the email, Daga assured users that the company took immediate action to address the issue.
"We took immediate action and worked with AppSecure and Anand Prakash, India's best known white hat hacker, to audit our systems and help us make our system security robust," she wrote. "Our team has worked harder to make sure the FreshMenu app and site are thoroughly secure, and our commitment does not end there. We work tirelessly on creating the best for you because that is our top priority."
Critics Blast Tardy Notification
But security practitioners say that even if payment information wasn't breached, the incident should have been promptly reported to those affected.
"Customers have every right to know what data of theirs has been compromised or leaked," says Rahul Sharma, founder of the Perspective, a firm which focuses on cyber policy. "This should be a practice followed by every company, and I feel a law addressing this issue must come out soon."
"Who are they to decide whether my leaked data is important or critical? If I am trusting them with my data, I have every right to know when my data gets compromised, however small the breach is."
Shivangi Nadkarni, CEO at Arrka Consulting, says companies have an obligation to notify those affected by breaches, regardless of the type or amount of data that was exposed.
"A data breach is a data breach," she says. "If firms worry that revealing small and harmless breaches will drive away customers, they are wrong. I think customers are more loyal when the trust factor is not broken."
But some security experts argue not all breaches should result in notifications.
"All firms are hit by small breaches every now and then. One can't keep panicking the customers by informing them about every breach," says Sandeep Arora, co-founder at CyberImmersions Solutions, which provides training, education and consulting in cybersecurity, cyber law and privacy. "I feel if the breach is not directly causing a harm to customers, companies can take attention internally and make sure such things do not happen again."
What Led to Breach?
Although it's unclear how FreshMenu customer information was breached, such breaches often target web and mobile applications, some security experts say.
Pavan Kushwaha, co-founder and CEO at Kratikal Tech, says that developers often inadvertently leave certain loopholes, which can be exploited by skilled hackers. "Common vulnerabilities that tend to be present over such applications include authentication bypass, authorization bypass, SQL injection and forged requests," Kushwaha says. "Such vulnerabilities allow hackers to access administrator accounts and potentially allow them to download entire database."
In addition, Kushwaha notes that many servers are vulnerable to zero-day exploits because they are not regularly updated. "Hackers use such exploits to directly attack the servers and affect the confidentiality and availability of the data," he says.