Site icon Sophos News

Mom’s Meals issues “Notice of Data Event”: What to know and what to do

US food delivery compeny PurFoods, which trades as Mom’s Meals, has just admitted to a cyberintrusion that took place from 2023-01-16 to 2023-02-22.

The company stated officially that:

[The] cyberattack […] included the encryption of certain files in our network.

Because the investigation identified the presence of tools that could be used for data exfiltration (the unauthorized transfer of data), we can’t rule out the possibility that data was taken from one of our file servers.

PurFoods says it has contacted everyone whose was affected, or at least everyone whose data appeared in one or more of the scrambled files, which we assume are the files that the company thinks the attackers would have stolen, if indeed any data was exfiltrated.

What’s at risk

The company didn’t say how many people were caught up in this incident, but a recent report on IT news site The Register puts the total at more than 1,200,000 individuals.

PurFoods listed those affected as:

Clients of PurFoods who received one or more meal deliveries, as well as some current and former employees and independent contractors.

The information in the files included date of birth, driver’s license/state identification number, financial account information, payment card information, medical record number, Medicare and/or Medicaid identification, health information, treatment information, diagnosis code, meal category and/or cost, health insurance information, and patient ID number.

Social Security numbers [SSNs] were involved for less than 1% of the [individuals], most of which are internal to PurFoods.

We’re guessing that the company didn’t collect SSNs for customers, though we’d expect them to need SSN data for employees, which is why the at-risk SSNs are listed as “internal”.

But if you’re wondering why a food delivery company would need to collect customers’ medical details, including health and treatment information…

…well, we wondered that, too.

It seems that the company specialises in providing meals for people with specific dietary needs, such as those with diabetes, kidney problems and other medical conditions, for whom food ingredients need to be chosen carefully.

Mom’s Meals therefore needs medical details for some, if not all, of its customers, and that data was mixed in with plenty of other personally identifiable information (PII) that may now be in the hands of cybercriminals.

What to do?

If you’re one of the more than a million affected customers:

If you’re a company that handles vital PII of this sort:

According to the data in the latest Sophos Active Adversary report, the median average dwell time in ransomware attacks (the time it takes between the crooks first breaking into your network and getting themselves into a position to compromise all your files in one simultaneous strike) is now down to just five days.

That means that if your company does get “chosen” by ransomware criminals for their next money-grabbing attack, there’s a better than 50% chance that you’ll have less than a week to spot the crooks sneaking around getting ready for your network doomsday event.

Worse still, the final hammer blow unleashed by ransomware attackers is likely to be at a deeply inconvenient time for your own IT team, with the file-scrambling denouement typically unleashed between 21:00 and 06:00 (9pm to 6am) in your local timezone.

To counter-paraphrase Mr Miagi of Karate Kid fame: Best way to avoid punch is to be there all the time, monitoring and reacting as soon as you can.


Short of time or expertise to take care of cybersecurity threat response? Worried that cybersecurity will end up distracting you from all the other things you need to do?

Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶


Exit mobile version