At a time when the Draft Personal Data Protection Law is under discussion and being challenged for its tough mandates, including data localisation and high-level penalties for data breaches, reports have surfaced that foodtech startup FreshMenu concealed a data breach affecting 110K Indian users in 2016.
Earlier this week, data breach-tracker HaveIBeenPwned.com (HIBP) revealed that a breach in the systems of FreshMenu in July 2016 had exposed personal data, including the names, email addresses, phone numbers, home addresses, and order histories of its customer.
Founded in 2014 by Rashmi Daga, FreshMenu is a meal kit delivery service aimed at the busy urban individuals who seek nutritious food but may not have the time or inclination to prepare one.
The Bengaluru-based foodtech startup has raised about $21.5 Mn till date from its investors, including Zodius Capital and Lightspeed Venture Partners. Currently, FreshMenu has 35 cloud kitchens across Bengaluru, Mumbai, and Delhi NCR.
The company had claimed then that it received 13K orders per day with an average order value of $5 (INR 325), which, incidentally, is close to Swiggy’s average order value of $5.39(INR 350).
It is not clear if any customer payment information or IP addresses were also leaked from FreshMenu’s database.
In a statement on its website, Rashmi Daga wrote,” I owe every user of FreshMenu a sincere apology for the breach and for not addressing this matter proactively. Trust is integral to the relationship we share with you and we regret the event that led to this trust being compromised. In that moment, we believed that the since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen.”
Daga also emphasised that the stolen information comprised of names, email IDs, and phone numbers; however, at no point was information such as user passwords or payment related information breached, she added.
“We have always worked with secure payment partners to store payment information in PCI DSS compliant systems on their side and that is absolutely safe. Regardless, it is clear in hindsight that we could have communicated this information to our users at that time,” said Daga.
Daga went on to explain that the company took immediate action and worked with AppSecure and Anand Prakash, India’s best-known white hat hacker, “to audit our systems and help us make our system’s security robust. Our team has worked harder to make sure the FreshMenu app and site are thoroughly secure, and our commitment does not end there. We work tirelessly on creating the best for you because that is our top priority.”
Prior to this, restaurant discovery firm Zomato saw the data of 17 Mn users breached last year. The information included user email addresses and hashed passwords.
However, the company had assured that the data theft did not include payments-related information. Gunjan Patidar, Technology Chief at Zomato, had said, “The payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.”
Still open for the comments and feedback, the draft Personal Data Protection Bill 2018, under Section 32, requires data breach notifications to be made to the proposed data protection authority (DPA) only if the breach is likely to cause ‘harm’ to the data principal. The Bill leaves it to the data fiduciary to judge whether the data breach causes “harm” to the data principal, which is a matter of concern.
The Bill once enacted prescribes steep penalties up to INR 5 Cr or 2% of the annual global turnover (of the company in question), whichever is higher, for any contravention of its provisions. A penalty of higher than INR 15 Cr or 4% of the annual global turnover of the company in question is prescribed for violations such as processing of personal data in contravention of the Bill.
The draft PDP Bill is yet to be introduced in Parliament. Hence, the provisions made under the draft Bill will not be applicable to the FreshMenu’s data leaks, so the company has been saved a huge amount in penalties for now. However, amid all the buzz that ‘data is the new oil’, data leaks at various organisations are like petrol tankers catching fire, and all newage companies need to have solid preventive mechanisms to keep data breaches in check.