Cyber Incident Victim: FreshMenu

On July 1, 2016, Indian online food delivery platform FreshMenu suffered a data breach compromising 110,355 customer accounts. The incident exposed personally identifiable information including usernames, email addresses, contact numbers, device information, and food order histories. While third-party breach index HaveIBeenPwned.com reported physical addresses and detailed order histories were also compromised, FreshMenu later disputed these specific claims. The company became aware of the breach shortly after it occurred but made a deliberate decision not to notify affected customers. This non-disclosure persisted for over two years until September 10, 2018, when HaveIBeenPwned.com publicly revealed the incident through social media, criticizing FreshMenu's failure to warn users. The breach notification service stated FreshMenu had acknowledged prior awareness of the compromise when contacted but maintained its position against customer notification, citing the perceived limited scope of the incident as justification for withholding information.

Following public exposure of the breach, FreshMenu issued a formal apology on its website in September 2018, acknowledging the two-year delay in disclosure. Company leadership apologized for breaching customer trust and explained their initial response focused exclusively on vulnerability remediation rather than transparency. FreshMenu confirmed immediate corrective actions taken in 2016 to patch the exploited security flaw and prevent recurrence, while emphasizing no financial data or account passwords were compromised. The organization engaged an unnamed white-hat security specialist to conduct post-breach system audits and reiterated commitments to strengthen data protection measures. Despite these assurances, the delayed notification deprived customers of timely opportunity to monitor potential misuse of their exposed personal information over the two-year concealment period.