Foodtech startup FreshMenu concealed a data breach affecting 1,10,00 Indian users in 2016, according to data breach-tracker HaveIBeenPwned.com (HIBP). The founder of FreshMenu Rashmi Daga posted an apology on the company’s website after an outrage on social media. Twitter was abuzz with people criticising FreshMenu for hiding the fact that 1.10 lakh accounts were breached in 2016.
FreshMenu has said that the stolen information comprised of names, email-ids and phone numbers. At no point during this time was information such as user passwords or payment related information, breached. “We have always worked with secure payment partners to store payment information in PCI DSS compliant systems on their side and that is absolutely safe. Regardless, it is clear in hindsight that we could have communicated this information to our users at that time,” the founder of the company Rashi Daga said.
“When advised of the incident, FreshMenu acknowledged being already aware of the breach but stated they had decided not to notify impacted customers,” HIBP, which was founded by data security researcher Troy Hunt, said on its website earlier in the week.
In a statement on the company’s website, Daga wrote,” I owe every user of FreshMenu a sincere apology for the breach and for not addressing this matter proactively. Trust is integral to the relationship we share with you and we regret the event that led to this trust being compromised. In that moment, we believed that the since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen.”
This comes at a time when the Draft Personal Data Protection Bill 2018 is under discussion and being challenged for its tough mandates, including data localisation and high-level penalties for data breaches.
Still open for the comments and feedback, the Section 32 of the draft Bill requires data breach notifications to be made to the proposed data protection authority (DPA) only if the breach is likely to cause ‘harm’ to the data principal. The Bill leaves it to the data fiduciary to judge whether the data breach causes ‘harm’ to the data principal, which is a matter of concern.
The Bill prescribes penalties up to Rs 5 Cr or 2% of the annual global turnover (of the company in question), whichever is higher, for any contravention of its provisions.
The draft PDP Bill is yet to be introduced in Parliament. Hence, the provisions made under the draft Bill will not be applicable to the FreshMenu’s data leaks.
Founded in 2014 FreshMenu is a meal kit delivery service aimed at the busy urban individuals who seek nutritious food but may not have the time or inclination to prepare one.
The Bengaluru-based foodtech startup has raised about $21.5 million till date from its investors, including Zodius Capital and Lightspeed Venture Partners. Currently, FreshMenu has 35 cloud kitchens across Bengaluru, Mumbai, and Delhi NCR.
It is not clear if any customer payment information or IP addresses were also leaked fromFreshMenu’s database.
Prior to this, restaurant discovery firm Zomato saw the data of 17 million users breached last year. The information included user email addresses and hashed passwords.
However, the company had assured that the data theft did not include payments-related information. Gunjan Patidar, Technology Chief at Zomato, had said, “The payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.”