Top food delivery service Purfoods leaks 1.2 million users medical and personal data


Food delivery business Purfoods has revealed it suffered a ransomware attack in which sensitive data on more than a million customers may have been stolen.

The company behind the "Mom's Meals" line notified 1,237,681 individuals of a cyberattack that happened in mid-January 2023. The notification doesn’t say which threat actor was behind the attack, but stresses the possibility of the theft of sensitive data.

"Because the investigation also identified the presence of tools that could be used for data exfiltration, Purfoods was not able to rule out the possibility that data was taken from one of its file servers," the company said.

Social Security Numbers at risk

A third-party incident response company, which was later hired to help address the aftermath of the attack, concluded that the data the attackers may have taken includes customer names, Social Security Numbers, driver’s licenses and state identification numbers, financial accounts, and payment card information (this also includes security codes, access codes, passwords, or PINs). Furthermore, the database included medical information, health information, and birth dates.

Read more

> LockBit ransomware has cost victims millions in the US alone

> Data breached at LA Housing Authority after ransomware attack

> These are the best privacy tools right now

Purfood’s unique selling proposition includes preparing health-focused meals, particularly its Mom’s Meals line, in which it teamed with more than 500 health providers to deliver refrigerated meals to people covered by Medicare and Medicaid.

Purfoods has been silent on whether the company knows the name of the threat actor, or the amount of money demanded, but it did say that it notified law enforcement of the breach, and started implementing “additional safeguards” and more employee training to minimize the chances of such an incident repeating. It will also be providing free credit monitoring to affected customers.

It also shared more information on how to protect against identity fraud and wire fraud, just in case.

Via: The Register