Cyber Incident Victim: PurFoods
Date:
Jan 2023
Location:
United States of America
Summary
A cybersecurity incident involving PurFoods, operating as Mom’s Meals, resulted from an external system breach that compromised sensitive personal and financial information of over 1.2 million individuals, including thousands of Maine residents. The unauthorized access exposed names combined with financial account or payment card details alongside security credentials. Affected parties received written notifications and were offered complimentary identity theft protection services for either one or two years through a third-party provider. Consumer reporting agencies were alerted due to the scale of impacted residents in Maine. The breach was discovered several months after the initial unauthorized access occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 16, 2023, PurFoods, LLC, operating as Mom’s Meals, experienced an external system breach resulting in unauthorized access to sensitive consumer data. The intrusion remained undetected until July 10, 2023, when the company discovered the compromise. The breach impacted 1,237,681 individuals nationwide, including 2,248 Maine residents, exceeding the state’s threshold for mandatory reporting to consumer credit agencies. Exfiltrated data included names paired with financial account numbers, credit or debit card details, and associated security credentials such as PINs, access codes, or CVV numbers. The Iowa-based meal delivery service maintained its corporate headquarters at 3210 SE Corporate Woods Dr in Ankeny during the incident timeframe.
PurFoods initiated written notifications to affected consumers on August 25, 2023, nearly seven weeks after breach discovery and over seven months post-compromise. The company provided Maine residents with a detailed notice titled "PurFoods Holdings LLC - Notice of Data Event" outlining the incident specifics. Identity theft protection services were offered through Kroll, with affected individuals receiving either 12 or 24 months of monitoring coverage. No prior breach notifications had been issued by the company within the preceding 12-month period. Jane Sturtz, PurFoods’ Privacy Officer, formally reported the incident to Maine authorities on February 22, 2023, listing her corporate contact information and affiliation with the Mom’s Meals domain. The organizational classification fell under "Other Commercial" entities in regulatory filings.