Home Chef Data Breach: Experts Commentary

Home Chef, a US-based meal kit and food delivery service, announced a data breach today after a hacker sold 8 million user records on a dark web marketplace.The user records for Home Chef was one of the databases being sold and allegedly contained 8 million user records. The threat actor was selling this database for $2,500 and provided a sample showing the type of information in the database table.


EXPERTS COMMENTS
James Carder, Chief Information Security Officer & Vice President,  LogRhythm Labs
May 22, 2020
It is evident that Home Chef lacked stringent security strategies.
Home Chef is one of the key players in the multi-billion-dollar meal kit delivery industry and is owned by one of the biggest supermarket retailers, Kroger. A company of this size must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats. This is especially true now, as demand for deliver services continues to ....
[Read More >>]
Dr. Vinay Sridhara, CTO,  Balbix
May 22, 2020
Compromised credentials still account for over 80% of hacking-related data breaches.
Companies are increasingly shifting their business models online, especially now due to new remote work policies amid the coronavirus crisis. Food delivery services such as Home Chef are currently in great demand and for customers to use these services, they must first create accounts with email addresses and passwords as well as other personal and financial data. Home Chef must ensure that the ac ....
[Read More >>]
Chris DeRamus , VP of Technology Cloud Security Practice,  Rapid7
May 22, 2020
However, to properly protect consumer data, organizations must transition to more modern, proactive security measures.
It’s more essential than ever for companies like Home Chef, a meal kit and delivery service, to ensure they have proper security protocols to keep customer information safe. More often than not, companies’ security and compliance practices are reactive, meaning they do not address or are unaware of a system vulnerability until after a breach occurs. However, to properly protect consumer data, ....
[Read More >>]
Boris Cipot, Senior Sales Engineer ,  Synopsys
May 21, 2020
Passwords—even encrypted passwords—can be cracked.
Attackers define the rules of engagement when it comes to carrying out data breaches, and attackers selling stolen data with the goal of monetary gain is nothing new. There is high demand for such information on the dark web to further carry out phishing campaigns, and similar attacks. Passwords—even encrypted passwords—can be cracked. If a hacker succeeds in accessing password data, it cou ....
[Read More >>]
Erick Kron, Security Awareness Advocate ,  KnowBe4
May 21, 2020
Depending on the encryption techniques and strength used, attackers could potentially decrypt passwords.
This is an example of how companies of all sizes and in all industries need to ensure they are protecting their customer data. In this case, the bad actor is selling the 8 million records for only $500 to $2500, but the cost to the company and potentially to their customers, will far exceed that. While the information may not seem extremely useful at first glance, bad actors can use this informat ....
[Read More >>]
Chris Clements, VP,  Cerberus Sentinel
May 21, 2020
Home Chef’s messaging in response has been very terse stating only that some of their data was compromised.
Unfortunately like the vast majority of breached companies, it appears that Home Chef was only alerted that there was a problem after their customers’ information was already posted for sale online. It’s likely that the attackers had Home Chef compromised for some time and may in fact still have access to their systems and data. They could still be actively stealing customer information. Wi ....
[Read More >>]
Robert Prigge, CEO,  Jumio
May 21, 2020
The repercussions of this breach are beyond the initial exposure.
Home Chef’s breach of 8 million records puts more than customers’ meal kit delivery services at risk. Whether ordering food or playing innocent games on your phone, cybercriminals are looking for every opportunity possible to acquire user data. The exposed encrypted passwords can easily be decrypted and used to access other accounts including bank accounts, social media profiles, health insura ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article