Food delivery provider FreshMenu started operations in India back in 2014, and has since been selling its products on its own platform as well as through aggregator apps like Zomato, Swiggy, and UberEATS. A report has now surfaced online that claims FreshMenu had a massive data breach back in 2016; a breach that exposed personal data of over 110,000 customers including their names, email addresses, phone numbers, home addresses, device information, and order histories. It is currently not known whether any customer payment information was outed from FreshMenu’s database.
“When advised of the incident, FreshMenu acknowledged being already aware of the breach but stated they had decided not to notify impacted customers,” stated HIBP (HaveIBeenPwned.com), run by security researcher Troy Hunt, raising grave concerns around the proper communication around privacy violation.
One of the app’s users from India claims that their email address was part of the breach. The breach date is said to be July 1, 2016, but the information was added to the HIBP database on September 10, 2018. In a tweet, HIBP said that 75 percent of the leaked addresses were part of its database.
We have reached out to FreshMenu for a statement and will update our story as and when we receive a comment from the company. While it is unlikely that data could have been leaked if you place a FreshMenu order through a food aggregator service, a possibility of the exchange of data between the two parties remains. The segregation of data leaked from users on the Web, Android, and iOS apps is also not yet known.
This is not the first instance wherein the Indian food delivery space has experienced a data breach. Back in May last year, industry leader Zomato’s data was “hacked” and user data of 17 million of its customers was apparently stolen. While sensitive data such as usernames and passwords were leaked, Zomato – at that time – claimed that no payment information went into wrong hands. Furthermore, a Gemalto study noted that this was the sixth biggest data breach globally in all of H1 2017.