A massive data breach on FreshMenu, affecting over 100,000 users, has been revealed by HaveIBeenPwned.com—a website created by noted security expert Troy Hunt in 2013, which allows you to check if your personal data has been compromised. Worse, the company’s response was to say that it was aware of the data breach, and chose not to inform its users.
“When advised of the incident, FreshMenu acknowledged being already aware of the breach but stated they had decided not to notify impacted customers,” HaveIBeenPwned.com wrote. The data that was stolen includes customer names, email addresses, phone numbers, home addresses and order histories.
However, in a statement published on the FreshMenu website, company founder Rashmi Daga wrote that the company thought this breach was “limited”. She also apologised to users for the breach and for not addressing the matter “proactively”.
Considering that India is a country where people have been lynched because of the contents of their fridge, real names and addresses, coupled with detailed order histories are a sensitive matter, and not informing the affected customers is a worrying behaviour.
“The stolen information comprised of names, email-ids and phone numbers. At no point during this time was information such as user passwords or payment-related information, breached. We have always worked with secure payment partners to store payment information in PCI DSS compliant systems on their side and that is absolutely safe,” Daga wrote.
“Further on, we took immediate action and worked with AppSecure and Anand Prakash, India’s best known white hat hacker, to audit our systems and help us make our system’s security robust,” she added.
This was reported by Gadgets 360, which also pointed out that this is not the first instance wherein the Indian food delivery space has experienced a data breach. In May last year, industry leader Zomato’s data was hacked and the data of 17 million of its customers was apparently stolen. While sensitive data such as usernames and passwords were leaked, Zomato claimed that no payment information went into wrong hands. A Gemalto study noted that this was the sixth biggest data breach globally in all of H1 2017.