Meal kit delivery service Home Chef was hit by a recent cyberattack that captured several pieces of sensitive data from customers. Describing the incident on its website, the company said that the compromised data included names, phone numbers, email addresses, encrypted passwords, the last four digits of credit card numbers, and possibly such information as mailing addresses and frequency of deliveries. Though Home Chef said it doesn’t store complete credit or debit card information, the theft of even four digits from their credit cards may be alarming to customers.
The company added that it’s been emailing affected customers to alert them to the breach. Stressing that user passwords are encrypted, it is nonetheless urging users to change their current passwords.
Home Chef reportedly discovered the breach only after learning of customer records being sold on the Dark Web. A criminal group calling itself Shiny Hunters has been selling the customer databases of several companies, including an alleged eight million records from Home Chef, according to BleepingComputer. Hawking the database for as much as $2,500, the group even provided a sample revealing the information stored in the database table. In a statement to BleepingComputer, Home Chef confirmed that its data breach notification is related to the database being sold online.
SEE: Security Awareness and Training policy (TechRepublic Premium)
In response to the breach, Home Chef said on its website that it’s “taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”
But the scenario is a familiar one. A website is breached due to weak security measures, various vulnerabilities or mistakes, a skilled and persistent hacker, or a combination of all three. The company learns of the breach, investigates the cause, and alerts affected users. The people in charge promise to fix whatever security weakness allowed the attack to occur, then vow not to let it happen again. But this type of incident does point to specific chinks in Home Chef’s security armor and that of many other companies.
“Unfortunately, like the vast majority of breached companies, it appears that Home Chef was only alerted that there was a problem after their customers’ information was already posted for sale online,” Chris Clements, vice president of solutions architecture for Cerberus Sentinel, said. “It’s likely that the attackers had Home Chef compromised for some time and may in fact still have access to their systems and data. They could still be actively stealing customer information. Without confirmation from Home Chef, it’s impossible to know. The ‘move fast and break things’ mentality of many startups often means that security is an afterthought.”
Clements also pointed out a lack of specificity in Home Chef’s message.
“Home Chef’s messaging in response has been very terse stating only that some of their data was compromised and that they are investigating while encouraging users to change their passwords,” Clements said.
Even though full credit card numbers and plain passwords were not breached, cybercriminals have ways of using and abusing other types of customer data.
“While the information may not seem extremely useful at first glance, bad actors can use this information to craft very targeted attacks to these customers,” Erich Kron, security awareness advocate at KnowBe4, said. “By having email addresses, street addresses, phone numbers, and the last four digits of a credit card number, scammers could very effectively impersonate someone from the breached organization, make some phone calls and request updated credit card information, passwords, etc. using social engineering techniques.”
Though passwords were scooped up in the breach, Home Chef said that they’re encrypted, though it did advise users to change them. Are encrypted passwords safe from exploitation? Not necessarily.
“Depending on the encryption techniques and strength used, attackers could potentially decrypt passwords,” Kron said. “While customers may change their password at this site, the bad guys know that people tend to reuse passwords across the internet and could use these credentials to perform something called a credential stuffing attack. This is where the bad guys take known credentials from one website and try to use it to log into other sites such as banking, other shopping sites, email accounts, etc.”
Users caught up in such a breach should also take certain steps to safeguard their information and to avoid future compromises.
“Victims of this breach should ensure that their passwords are changed at this site as well as anywhere else it’s being used,” Kron said. “They should consider enabling multifactor authentication wherever possible and look into the use of password vaults, which generate random passwords for each site. Victims should also be aware that they may be a target of phishing or vishing [voice phishing] schemes where scammers would call them using this information they have and try to get them to give up further information.”
Organizations themselves need to do a better job of preventing data breaches from occurring. That requires the right technology and the right user training but also a commitment to security.
“Organizations should adopt a culture of security that includes ongoing education for all employees on current security threats and best behaviors as well as regular simulated attacks, or penetration testing of users and computer systems to ensure no vulnerabilities or misconfigurations exist that an attacker can exploit,” Clements said. “Finally, it is critical that organizations have the capability to continuously monitor and respond to suspicious or unusual activities on their network.”
Despite the best security efforts and protection, hackers are smart, dedicated, and persistent. In many cases, it’s not a question of if a cyberattack will occur but when it will occur. In that event, how should an organization respond, especially if sensitive data is compromised?
“First and foremost, organizations should have a well thought out computer incident response plan that details actions to be taken if an incident is detected,” Clements said. “It’s important that incident response plans are developed with a cool head and that everyone knows to follow the same process beforehand. Too many times in panic after an incident, responders can make mistakes that result in attackers maintaining access or defenders deleting critical evidence that can be used to determine the root cause of the incident.”
Finally, organizations must contact the right people to help in the aftermath.
“After a breach is detected, it’s important to reach out to lifelines such as professional incident response and forensic firms as well as appropriate law enforcement agencies,” Clements said. “The legal team should also be consulted to determine what legal or regulatory requirements for disclosing that a breach has occurred are.”