The company behind a popular American brand of whole-grain foods has notified its online customers that their personal data may have been exposed in a recent cyber-attack.
Bob’s Red Mill Natural Foods issued a data breach notice on April 15 after learning that it had fallen victim to a data scraping cyber-attack that began two months ago.
“We recently learned that, between February 23 and March 1 2022, malicious software was used to “scrape” purchase-related information entered into our website,” said the company, which is headquartered in Milwaukie, Oregon.
The company said that data entered into its website is usually sent directly to the company’s payment processor via secure protocols. However, unidentified cyber-attackers used malicious software to divert the information.
“We do not believe any of our physical/in-person count-of-sale terminals have been impacted, or that purchases made outside the February 23 – March 1 window have been impacted,” said Bob’s Red Mills.
An investigation into the incident by the company initially found no evidence that any information had been downloaded or exfiltrated from the website and used in the commission of fraud, but that changed in March.
“On March 22, we received a call from a customer who indicated that they incurred a fraudulent charge,” stated Bob’s Red Mill in April, “We received a number of similar reports this month.”
The company said that while it does not know if these fraudulent charges are related to the data scraping incident, “it now appears possible that payment-card (and other) information may have been acquired” by cyber-criminals.
Data that may have been exposed in the attack includes online customers’ payment card information, billing and shipping addresses, email addresses, phone numbers and purchase amounts. The company said that no information had been found to indicate that any Social Security numbers, dates of birth, driver’s license numbers or other government-issued ID numbers had been exposed in the attack.
Bob’s Red Mills’ chief operating officer Bill Lozier said that the company “will learn from this incident and use the information uncovered during our investigation to further bolster our data security and incident-response investigation.”