Are you finding that you’re cooking more—or at all—thanks to extended quarantine? Boy do I miss restaurants. Maybe you do, too. Maybe you’re even ordering takeout or meal kits to cook up yourself. In which case, you might be susceptible to a data breach. Kroger’s Home Chef Services, one of the more popular delivery services, recently experienced one itself. Exposed was information like names, address, partial credit card numbers, and frequency of deliveries, over 8 million records in total. Such a class of data could be used in future phishing campaigns, the likes of which we’ve seen in plenty lately.
Responsible for this breach is a group that has become fairly active during the pandemic, Shiny Hunters. We’ve seen them before, claiming credit for the breach of Indonesia’s Tokopedia e-commerce platform, as well as 500 GB of data from Microsoft’s GitHub account. Attacking an essential service like food delivery isn’t much of a surprise. But therein lies the exposed vulnerability. As James Carder, CSO and VP of LogRhythm, told ThreatPost, “All companies in this sector must not falsely assume that they are immune to attack just because they have become an essential service to help people during a challenging time.” Unfortunately, we still don’t know how many people were affected by this incident, or how it occurred in the first place. Owned by the supermarket giant Kroger, Home Chef announced the incident on their website and is notifying affected customers. An investigation will be underway as well.
As we have also observed recently, hackers have been targeting state unemployment programs—another vital necessity for the over 30 million people who are out of work in the US alone since the shutdown began. Several states have indeed been subjected to this. Unfortunately, the common theme seems to have been inadequate effort in securing the websites, due in part to a rush to get these programs up and running. It goes without saying, these benefits are also an essential service, which has made them rich targets for cyber criminals.
Hopefully, with states gradually planning to reopen in the near future, if all goes well enough thee programs will no longer be the critical, attractive targets they are. In the meantime, anyone potentially affected by a breach during this crisis should take the same actions they would during more normal times. Identity monitoring services (especially if they’re being offered free by the breached entity), credit freezes, even changing your passwords can help you avoid trouble. Any available protection people can find, they should use, and not have to worry about their dinner risking their personal information.