Naked Security Naked Security

Mom’s Meals issues “Notice of Data Event”: What to know and what to do

It took six months for notifications to start, and we still don't know exactly what went down... but here's our advice on what to do.
Written by
August 29, 2023
Naked Security data breach MDR Mom's Meals PurFoods ransomre Ransomware

US food delivery compeny PurFoods, which trades as Mom’s Meals, has just admitted to a cyberintrusion that took place from 2023-01-16 to 2023-02-22.

The company stated officially that:

[The] cyberattack […] included the encryption of certain files in our network.

Because the investigation identified the presence of tools that could be used for data exfiltration (the unauthorized transfer of data), we can’t rule out the possibility that data was taken from one of our file servers.

PurFoods says it has contacted everyone whose was affected, or at least everyone whose data appeared in one or more of the scrambled files, which we assume are the files that the company thinks the attackers would have stolen, if indeed any data was exfiltrated.

What’s at risk

The company didn’t say how many people were caught up in this incident, but a recent report on IT news site The Register puts the total at more than 1,200,000 individuals.

PurFoods listed those affected as:

Clients of PurFoods who received one or more meal deliveries, as well as some current and former employees and independent contractors.

The information in the files included date of birth, driver’s license/state identification number, financial account information, payment card information, medical record number, Medicare and/or Medicaid identification, health information, treatment information, diagnosis code, meal category and/or cost, health insurance information, and patient ID number.

Social Security numbers [SSNs] were involved for less than 1% of the [individuals], most of which are internal to PurFoods.

We’re guessing that the company didn’t collect SSNs for customers, though we’d expect them to need SSN data for employees, which is why the at-risk SSNs are listed as “internal”.

But if you’re wondering why a food delivery company would need to collect customers’ medical details, including health and treatment information…

…well, we wondered that, too.

It seems that the company specialises in providing meals for people with specific dietary needs, such as those with diabetes, kidney problems and other medical conditions, for whom food ingredients need to be chosen carefully.

Mom’s Meals therefore needs medical details for some, if not all, of its customers, and that data was mixed in with plenty of other personally identifiable information (PII) that may now be in the hands of cybercriminals.

What to do?

If you’re one of the more than a million affected customers:

  • Consider replacing your payment card if yours was listed as possibly stolen. Most banks will issue new payment cards promptly, thus automatically invalidating your old card and making the old card details useless to anyone who has them now or buys them up later on the dark web.
  • Watch your statements carefully. You should do this anyway, so that you spot anomalies as soon as you can, but it’s worth keeping a closer eye on what’s happening with your financial accounts if there’s evidence you might be at a greater-than-usual risk of identity theft or card abuse.
  • Consider implementing a credit freeze. This adds an extra layer of authorisation from you that’s needed before anything in your credit report can be released to anyone. This makes it harder for crooks to acquire loans, credit cards and the like in your name (although this obviously makes it harder – and thus takes longer – for you to get a new loan, credit card or mortgage, too). Unfortunately, activating a credit freeze means you need to send a large amount of PII, including a copy of your photo ID and your SSN, to one of three main credit bureaus.

If you’re a company that handles vital PII of this sort:

  • Act immediately when any anomalies are detected in your network. In this attack, the criminals were apparently inside the PurFoods network for more than a month, but were only spotted after they’d got as far as scrambling files, presumably as a basis for extorting money from the company.
  • Consider using a Managed Detection and Response (MDR) service if you can’t keep up on your own. Good threat hunting tools not only search for and prevent the activation of malware, but also help you to detect weak spots in your network such as unprotected or unpatched computers, and to identify and isolate behaviour that’s commonly seen in the build-up to a full-blown attack. Having threat hunting experts on hand all the time makes it much more likely that you’ll spot any danger signals before it’s too late.
  • Be as quick and as transparent as you can in any data breach notifications. Despite the suggestion that this was a two-pronged steal-data-and-then-scramble-it attack, known in the jargon as double extortion, PurFoods hasn’t made it clear what really happened, even though the company tooks several months to investigate and publish its report. For example, we still don’t know whether the company received any blackmail demands, whether there was any “negotiation” with the attackers, or whether any money changed hands in return for hushing up the incident or for buying back decryption keys to recover the scrambled files.

According to the data in the latest Sophos Active Adversary report, the median average dwell time in ransomware attacks (the time it takes between the crooks first breaking into your network and getting themselves into a position to compromise all your files in one simultaneous strike) is now down to just five days.

That means that if your company does get “chosen” by ransomware criminals for their next money-grabbing attack, there’s a better than 50% chance that you’ll have less than a week to spot the crooks sneaking around getting ready for your network doomsday event.

Worse still, the final hammer blow unleashed by ransomware attackers is likely to be at a deeply inconvenient time for your own IT team, with the file-scrambling denouement typically unleashed between 21:00 and 06:00 (9pm to 6am) in your local timezone.

To counter-paraphrase Mr Miagi of Karate Kid fame: Best way to avoid punch is to be there all the time, monitoring and reacting as soon as you can.

Short of time or expertise to take care of cybersecurity threat response? Worried that cybersecurity will end up distracting you from all the other things you need to do?

Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶

About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

Leave a Reply

Your email address will not be published. Required fields are marked *