FreshMenu embroiled in data breach scandal; 110,000 customers affected

Indian-based food delivery service provider FreshMenu is facing a fierce backlash after it was found to have covered up a data breach affecting 110,000 customers.

HIBP (Have I Been Pwned) disclosed the incident in September 2018, but said the breach occurred two years ago. When HIBP notified FreshMenu, the organization said it already knew about the breach but had chosen not to inform those affected.

Customers’ names, email addresses, phone numbers, home addresses, device information, and order histories had been compromised.

Breach: FreshMenu
Date of Breach: July 1, 2016
Number of Accounts: 110,355
Compromised Data: Device Information, Email Addresses, Names, Phone Numbers, Physical Addresses, Purchases
Description: In July 2016, the India-Based food delivery service FreshMenu suffered a data breach.  The incident exposed the personal data of over 110K customers. and included their names, email addresses, phone numbers, home addresses, and other histories.  When advised of the incident, FreshMenu acknowledged being aware of the breach but stated they had decided not to notify impacted customers.

(Source: https://haveibeenpwned.com/PwnedWebsites)

The controversy isn’t over the fact that a breach took place. After all, customers have come to expect that. It’s about FreshMenu’s decision to not inform customers that their information had been exposed. Many of those affected took to Twitter to voice their frustration.

The worst thing an organization can do

Organizations are repeatedly told that data breaches can be disastrous. They see the uproar that follows stories about security incidents and they read the widely publicized statistics about the percentage of companies that go out of business after a breach.

It’s therefore easy to see why an organization would want to do everything it can to avoid disclosing a data breach. But covering up an incident is the worst thing you can do, because you’re not only lying to your customers but also giving cyber criminals as much time as they need to use or sell the data.

It also prevents other organizations from learning about the tactics cyber criminals use and the vulnerabilities that need to be addressed. This is bad for the overall state of cybersecurity, as it means attacks are likely to be more successful, more profitable, and more regular.

There’s also the problem of keeping the cover-up going. Services such as HIBP are always looking out for data breaches, and they are adept at tracing compromised information back to its root. They will uncover breaches sooner or later, and then you’ll have to answer for why you didn’t disclose it. This will often be the focus of more criticism than the breach itself, as FreshMenu found to its cost.

FreshMenu: Negligence or malice?

After days of criticism, FreshMenu’s founder, Rashmi Daga, apologized for “not addressing this matter proactively.”

She added: “Trust is integral to the relationship we share with you and we regret the event that led to this trust being compromised. In that moment, we believe[d] that since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen.”

This explanation has done little to assuage the concerns of FreshMenu’s customers, because it’s not as though resolving the vulnerability and contacting affected individuals is an either-or option. The damage had been done as soon as the breach occurred, and addressing the source of the incident won’t have done anything to affect that.

On the plus side, the statement indicates that the cover-up was the result of negligence as opposed to malice, as was the case with Uber’s cover-up scandal. FreshMenu’s decision-makers were seemingly unaware of the importance of contacting customers, which is marginally better than trying to hide the incident, and have now learned a valuable lesson.

Another positive is that this incident provides a textbook example of why the EU GDPR (General Data Protection Regulation) is in place.

The GDPR contains a long list of strict requirements, including rules on data breach notification, which apply to any organization that handles EU residents’ personal data. FreshMenu isn’t within its scope, but many North American organizations are. Those that have to meet the GDPR’s requirements have criticized its apparently excessive bureaucracy, but the FreshMenu incident shows the ways in which the Regulation can help.

Many organizations don’t know what they should be doing to reduce the risk of data breaches, and without strict rules they will do very little. That’s not only damaging for them but also for all their customers. Had FreshMenu been clearly instructed to disclose breaches, it almost certainly would have done so, thus avoiding all the damage it has incurred in the past month.

Watch our GDPR webinars

You can learn more about the benefits of the GDPR and how you can meet its requirements by watching our webinar series. We have two upcoming presentations that you might be interested in:

If you can’t make either of these webinars, they’ll be available to download from our website shortly after they finish, where you can also see our upcoming schedule and view our past presentations.


Get #BreachReady

Discover how to prepare for a data breach by visiting our #BreachReady page. We break the process down into six simple steps and recommend tools and services you can use to complete each task.