Cyber Incident Victim: Chowbus

On October 5, 2020, at approximately 1:30 a.m. CDT, Chowbus customers began receiving unsolicited emails titled "Chowbus data" containing download links to two CSV files. The emails, sent directly by an unauthorized threat actor, claimed to expose internal databases from the Asian food delivery service, which operated in the United States, Australia, and Canada. The first file contained records for 4,300 partner restaurants, listing names, phone numbers, physical addresses, and commission rates negotiated with Chowbus. The second file disclosed personal information for 803,350 users, including full names, email addresses, phone numbers, and residential addresses. Customers who accessed the links confirmed the files contained structured data exports consistent with Chowbus's operational records. The company detected the breach concurrently with these unauthorized emails and immediately initiated an internal investigation.

Chowbus notified affected customers via email on October 5, confirming the compromise of user and restaurant data but clarifying that no financial information or account passwords were accessed. Their security team took undisclosed steps to contain the incident upon discovery. The attacker’s direct distribution of stolen data to victims amplified immediate privacy concerns, as exposed personal details could facilitate phishing or physical targeting. Chowbus directed users to verify their exposure status through the Have I Been Pwned breach notification service but did not disclose the intrusion vector or duration of unauthorized access. The breach impacted all operational regions, exposing sensitive commercial agreements with restaurants and granular customer profiles. No further communication from Chowbus regarding remediation measures or forensic findings was documented in the immediate aftermath.