Food delivery provider FreshMenu started operations in India back in 2014, and has since been selling its products on its own platform as well as through aggregator apps like Zomato, Swiggy, and UberEATS. A report has now surfaced online that claims FreshMenu had a massive data breach back in 2016; a breach that exposed personal data of over 110,000 customers including their names, email addresses, phone numbers, home addresses, device information, and order histories. It is currently not known whether any customer payment information was outed from FreshMenu's database. The company has responded to the claims, and you can read the statement in its entirety at the bottom of this article.
"When advised of the incident, FreshMenu acknowledged being already aware of the breach but stated they had decided not to notify impacted customers," stated HIBP (HaveIBeenPwned.com), run by security researcher Troy Hunt, raising grave concerns around the proper communication around privacy violation.
One of the app's users from India claims that their email address was part of the breach. The breach date is said to be July 1, 2016, but the information was added to the HIBP database on September 10, 2018. In a tweet, HIBP said that 75 percent of the leaked addresses were part of its database.
FreshMenu founder Rashmi Daga in a statement responding to the claims said that no point was information such as "user passwords or payment-related information breached," adding that the immediate focus after the breach was to "resolve the vulnerability."
This is not the first instance wherein the Indian food delivery space has experienced a data breach. Back in May last year, industry leader Zomato's data was "hacked" and user data of 17 million of its customers was apparently stolen. While sensitive data such as usernames and passwords were leaked, Zomato - at that time - claimed that no payment information went into wrong hands. Furthermore, a Gemalto study noted that this was the sixth biggest data breach globally in all of H1 2017.
You may have seen Twitter posts and media articles about a data breach at FreshMenu back in 2016. I owe every user of FreshMenu a sincere apology for the breach and for not addressing this matter proactively. Trust is integral to the relationship we share with you and we regret the event that led to this trust being compromised. In that moment, we believed that the since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen. The stolen information comprised of names, email-ids and phone numbers from a test server holding transaction information. At no point during this time was information such as user passwords or payment related information, breached. We have always worked with secure payment partners to store payment information in PCI DSS compliant systems on their side and that is absolutely safe. Regardless, it is clear in hindsight that we could have communicated this information to our users at that time.
Further on, we took immediate action and worked with AppSecure and Anand Prakash, India’s best known white hat hacker, to audit our systems and help us make our system’s security robust. Our team has worked harder to make sure the FreshMenu app and site are thoroughly secure, and our commitment does not end there. We work tirelessly on creating the best for you because that is our top priority.
FreshMenu began four years ago in my home kitchen with one simple purpose- to bring good food to your table, whenever and wherever you are hungry. Today, our aim remains the same, and our determination to serve you only gets stronger. I wanted users to have the world of food available at the push of a button, and the trust that it is being cooked fresh in a kitchen near them. Like with our food, in every aspect of our offering, our mission is to serve you as best as we can.
If you have any concerns or queries, do not hesitate to write to me at email@example.com, and we will reach out to you right away.