Asian food delivery service Chowbus, owned by Fantuan Group Inc., has suffered a data breach with hundreds of thousands of customer records stolen.

Exactly how the data breach took place is not known. The stolen data included customer names, email addresses, phone numbers and email addresses. Credit card data was not accessed.

Although the company has confirmed that “some of our user data has been illegally accessed” and that it’s addressing the issue, where the story takes a twist is how customers initially found out about the data breach.

Customers affected by the data breach started to receive emails early Monday labeled “Chowbus data” that contained links to where they could download the stolen company data, the Chicago Tribune reported today. One thread on Reddit details the email and the data sent via the link, with various users chiming in to state that they had also received the same email. The database contained more than 800,000 customer records and 444,000 unique email addresses.

New breach: Yesterday, Chowbus customers were sent a link to a CSV file with over 800k customer records. Data included names, physical addresses, phone numbers and 444k unique email addresses. 58% were already in @haveibeenpwned. Read more: https://t.co/03pwssKC80

— Have I Been Pwned (@haveibeenpwned) October 6, 2020

Based in Chicago, Chowbus provides food delivery services in the U.S., Canada and Australia. The data included customer information from Australia and well as North America with Riot Act reporting that information of customers from Canberra were found in the database.

“We are so used to ransomware attacks or other incidents committed for political or financial gain that a data breach at Chowbus is very unusual,” Ilia Sotnikov, vice president of product management at data security firm Netwrix Corp., told SiliconANGLE. “This scenario hasn’t been common before and can be a result of criminal mischief or a desire to harm a company’s reputation.”

By undermining trust in a company’s ability to protect customer data, hackers may encourage victims to turn to competitors, Sotnikov added. “Although there is no information on the root cause of this incident, we may assume that such an attack could have been initiated by an insider, such as a disgruntled employee,” he said.

Stephen Gates, security evangelist and senior solutions specialist at software security company Checkmarx Ltd., noted that such breaches highlight the need for better application security.

“If the breach wasn’t due to a malicious insider, then the likelihood the hack took place via the Chowbus website, or even more probable, their mobile app, is very high,” Gates said. “Organizations must do a better job of finding and remediating software vulnerabilities before their apps go online, not after a breach takes place.”

Image: Chowbus