Bengaluru-based food delivery platform FreshMenu suffered a data breach back in July 2016 that exposed personal data of over one lakh customers. However, unlike most companies and portals that disclose breaches and alert users to change passwords, FreshMenu did not notify impacted customers.
Personal data such as device information, email addresses, names, phone numbers, physical addresses, purchases of 110,355 users were exposed. This information comes from HIBP (haveibeenpwned.com) that maintains a database of data breaches. As per the website, information on FreshMenu’s data breach was added on September 10, 2018.
“When advised of the incident, FreshMenu acknowledged being already aware of the breach but stated they had decided not to notify impacted customers,” HIPB’s website says about the data breach.
In its response, FreshMenu founder Rashmi Daga put out an apology for not addressing the matter proactively.
“Trust is integral to the relationship we share with you and we regret the event that led to this trust being compromised. In that moment, we believed that the since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen,” she said in a statement issued by the company.
However, FreshMenu claims that information such as user passwords or payment-related information was not breached. Th payment information, it claims, is stored in PCI DSS compliant systems on their side, which is absolutely safe.
“Regardless, it is clear in hindsight that we could have communicated this information to our users at that time. Further on, we took immediate action and worked with AppSecure and Anand Prakash, India’s best known white hat hacker, to audit our systems and help us make our system’s security robust. Our team has worked harder to make sure the FreshMenu app and site are thoroughly secure, and our commitment does not end there. We work tirelessly on creating the best for you because that is our top priority,” she added.
In July this year, HIPB also tweeted that over five million records of users of Yatra.com were exposed in a data breach back in 2013. According to the website, the data contained email and physical addresses, dates of birth and phone numbers, along with both PINs and passwords stored in plain text.
More recently, personal and financial data of nearly 380,000 customers of British Airways (BA) who booked online on its website and mobile app were compromised. The data theft reportedly happened between August 21 and September 5, 2018.