On May 20, 2020, customers of Home Chef got the unpleasant news that 8 million of their data records had been breached. The stolen information included names, email addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords. Other information, including mailing addresses and frequency of delivery, “may also have been compromised.”
The announcement came about two weeks after Home Chef learned of the breach. This is within the generally accepted time frame; a company’s first priority is to verify what happened and prevent further damage. What’s disturbing is that Home Chef learned of the breach only by discovering that its data was being offered for sale.
How Home Chef learned of the breach
An online criminal gang calling itself Shiny Hunters had announced that it was offering databases from eleven companies, Home Chef among them. In early May they offered the 8 million records for $2,500. No details are publicly available on how the breach occurred, but Shiny Hunters apparently got direct access to Home Chef’s customer database. The largest set of records the gang claimed to have was 91 million from Tokopedia, a major Indonesian online store. This number hasn’t been confirmed; the low-end estimate is 15 million.
The price might have been higher, except that Home Chef did some things right. It didn’t store full credit card numbers, and it encrypted all the passwords in its database. The stolen information could make it easier to match credit card numbers with people or to crack passwords, but the breach didn’t outright expose that sensitive information. Even so, Home Chef is advising its customers to change their passwords.
What businesses and customers should do
The breach offers lessons to businesses and customers. Businesses need to remember the importance of network monitoring. If the security incident had been caught earlier, the thieves might have been stopped before they could steal the data. In the worst case, Home Chef would have known about the breach more quickly and started remedial action sooner. The process of acquiring the 8 million records could have taken weeks. Grabbing and exfiltrating that many records all at once could trigger alarms, so thieves prefer to acquire them slowly.
The events show why businesses should never store unencrypted sensitive information in their databases. Home Chef protected itself and its customers from a worse disaster by following this principle.
On the customer side, the breach shows the need for strong passwords. Depending on the details, thieves may be able to test long lists of passwords against the encrypted ones and discover the ones that match. A long and complex password is more resistant to this kind of cracking. When they learn of a breach, users should change their passwords immediately.
Home Chef warned customers to be wary of scams. Fraud operators can better target their phone calls and spam by knowing that a phone number or email address belongs to a customer. The company has reminded its customers that it will never ask for sensitive information by email. People getting phone calls claiming to be from Home Chef should likewise be wary of any odd requests.
Data security is a constant challenge. A typical data breach costs millions of dollars in downtime, reporting, mitigation, and liability. Businesses need to maintain a multilayered defense. It has to include not just technical protection but cybersecurity awareness training, so that employees don’t give away authentication information or let malware get into their systems. System monitoring is important, so that IT people can catch security incidents when they happen and not after massive data loss. Investing in data protection pays for itself by safeguarding a business’s operations and reputation.
Investing in data protection pays for itself by safeguarding a business’s operations and reputation. Bluwater’s network and system security services will reduce your company’s chances of suffering an expensive data breach.