Even Delivery Apps Can Give Hackers an Opening to Steal Personal Data

In mid-October 2020, Asian food delivery service Chowbus became the victim of a hacker attack. As a result of the breach, hundreds of thousands of customer records were stolen.

The full details surrounding the method and attack vector the cybercriminals used are still not clear. What is known, however, is that over 800,000 customer records were stolen from a Chowbus database. The records contain sensitive, personally identifiable information including the names, e-mail and real-world addresses, as well as phone numbers of Chowbus customers. A significant chunk of the leaked data were e-mails - over 440 thousand e-mails were stolen in the attack.

Company customers started receiving e-mails titled "Chowbus data". The e-mails contained links to downloads containing the leaked Chowbus database records. The links point to two .cvs files - one containing company information about its restaurants and the other - for its users.

No credit card information was accessed or leaked in the breach.

Chowbus is headquartered in Chicago and serves customers across North America and Australia. The leaked records contained information about customers in both territories.

Attack Vector Still Unclear

Security experts expressed suspicion that the attack may be an effort to undermine Chowbus's reputation and called the attack "very unusual". The interesting thing about this data breach is that there is still no information about the attack vector and the way the bad actors infiltrated Chowbus databases. Similar attacks usually have a security team investigating the aftermath and informing the victim about the exact way their system was breached.

This latest incident underlines the significant security issues that are still present in company networks. Sadly, no matter how good your personal security habits are, you are always at risk of bad actors compromising a service you use and stealing your information directly from their databases.

Similar data breaches are not an uncommon occurrence. Back in May 2020 the personal data of nearly 190 thousand Australian citizens was stolen from a government network belonging to a New South Wales administrative institution.

October 15, 2020