India food delivery service FreshMenu admits to data breach in 2016

FreshMenu, a food delivery service based in India, has apologised after it failed to inform affected customers of a data breach that took place in 2016.

How did the breach occur – and why did it go unannounced for so long?

The breach was first reported by the Have I Been Pwned (HIBP) website on 10 September 2018, which said “the incident exposed the personal data of over 110k customers”.

The breach occurred on 1 July 2016 and compromised details including:

  • Names;
  • Email addresses;
  • Phone numbers;
  • Home addresses; and
  • Order histories.

HIBP said, “When advised of the incident, FreshMenu acknowledged being already aware of the breach but stated they had decided not to notify impacted customers.”

FreshMenu apologises for not informing customers

Rashmi Daga, founder of FreshMenu, released a statement acknowledging the breach: “I owe every user of FreshMenu a sincere apology for the breach and for not addressing this matter proactively.

“Trust is integral to the relationship we share with you and we regret the event that led to this trust being compromised.

“In that moment, we believe[d] that since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen.”

FreshMenu has assured customers it “took immediate action” to fix the vulnerability and has worked with an ethical hacker to audit the company’s systems for security.

It also says its team “has worked harder to make sure the FreshMenu app and site are thoroughly secure”.

The breach should have been reported in a timely manner

It’s shocking that it took FreshMenu more than two years to notify affected customers about the data breach.

Rahul Sharma, founder of the Perspective, told Data Breach Today, “Customers have every right to know what data of theirs has been compromised or leaked. This should be a practice followed by every company, and I feel a law addressing this issue must come out soon.

“Who are they to decide whether my leaked data is important or critical? If I am trusting them with my data, I have every right to know when my data gets compromised, however small the breach is.”

Shivangi Nadkarni, CEO of Arrka Consulting, added, “A data breach is a data breach. If firms worry that revealing small and harmless breaches will drive away customers, they are wrong. I think customers are more loyal when the trust factor is not broken.”

Data breach reporting in India

Although India has no specific laws on data breach reporting within a set timeframe, organisations would be wise to look at the EU’s GDPR (General Data Protection Regulation) as best practice.

Indian organisations that offer goods and services to, or monitor the behaviour of, EU residents must comply with the GDPR anyway.

But all organisations in India should remember that with an appropriate data protection compliance framework in place, not only will you be able to avoid significant fines and reputational damage but you will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.

Under the GDPR, data breaches which pose a risk to the rights and freedoms of data subjects must be reported to a data protection authority within 72 hours of discovery, and, where there is a high risk to their rights and freedoms (e.g. identity theft or personal safety), the affected individuals should also be notified.

In this instance, FreshMenu should have notified affected individuals as a significant amount of their personal data was breached that posed a risk to their rights and freedoms.

View IT Governance’s best-practice process for reporting a data breach >>

Download a free copy of our green paper EU GDPR – A Compliance Guide for more information about:

  • What the GDPR is;
  • The key changes introduced by the Regulation; and
  • Its scope and impact.

Download now >>