FreshMenu said that it chose not to disclose the leak of over 1.1 lakh users on its website. The company’s statement also did not admit that home addresses and order histories were stolen. FreshMenu was hacked in 2016, exposing the names, email IDs, addresses and phone numbers of over 1.1 lakh users.
The leak first surfaced earlier this week, when Australian security researcher Troy Hunt added the leak to his index of breached websites and databases, haveibeenpwned.com. FreshMenu added that it regretted the leak and that it worked with Appsecure and Anand Prakash, a security bug bounty hunter, to audit and secure its systems after it discovered the incident.
If India had a data protection law
Since India does not have a data protection law, FreshMenu is not liable to any penalties. But if the Srikrishna committee’s bill were passed as-is, this would need to happen legally:
- Immediate disclosure: Under Section 32(1–2), FreshMenu would have to disclose that breach immediately to the Data Protection Authority of India (which does not exist yet), along with details of possible consequences and steps being taken to remedy the vulnerability. The DPAI would decide whether this breach should be disclosed to users, and would require FreshMenu to post details on its website if so.
- Penalties for not disclosing: Since FreshMenu did not disclose the breach as required by the above section, it would be liable to a fine of up to 2% of its annual revenue or Rs 5 crore, whichever is higher. DPAI would have the power to levy a Rs 5 crore fine regardless of whether FreshMenu was fined for FY16 (when the breach happened) or FY18 (when the breach surfaced). 2% of FreshMenu’s annual revenue would well be below Rs 5 crore in FY18 even if it meets its target of doubling FY17’s turnover of Rs 70.9 crore.
Of course, this breach may have been less likely to happen in the first place if the data protection bill were in place in 2016. The draft law requires ‘significant data fiduciaries’ to perform routine audits of their systems and appoint data auditors to examine these flows.
Nikhil adds: The problematic part of this data protection law, when it comes to breaches, is that it is up to the DPA to decide whether users should be informed or not. In my opinion, if my data is compromised, I need to know. This is why services like haveibeenpwned.com by Troy Hunt perform an important function.
FreshMenu’s full statement
You may have seen twitter posts and media articles about a data breach at FreshMenu back in 2016. I owe every user of FreshMenu a sincere apology for the breach and for not addressing this matter proactively. Trust is integral to the relationship we share with you and we regret the event that led to this trust being compromised. In that moment, we believed that the since the breach was limited, we would focus on resolving the vulnerability and making sure that no further breaches happen. The stolen information comprised of names, email-ids and phone numbers. At no point during this time was information such as user passwords or payment related information, breached. We have always worked with secure payment partners to store payment information in PCI DSS compliant systems on their side and that is absolutely safe. Regardless, it is clear in hindsight that we could have communicated this information to our users at that time.
Further on, we took immediate action and worked with AppSecure and Anand Prakash, India’s best known white hat hacker, to audit our systems and help us make our system’s security robust. Our team has worked harder to make sure the FreshMenu app and site are thoroughly secure, and our commitment does not end there. We work tirelessly on creating the best for you because that is our top priority.
FreshMenu began four years ago in my home kitchen with one simple purpose- to bring good food to your table, whenever and wherever you are hungry. Today, our aim remains the same, and our determination to serve you only gets stronger. I wanted users to have the world of food available at the push of a button, and the trust that it is being cooked fresh in a kitchen near them. Like with our food, in every aspect of our offering, our mission is to serve you as best as we can.
If you have any concerns or queries, do not hesitate to write to me at firstname.lastname@example.org, and we will reach out to you right away.