Op-Ed: Patties Foods’ ‘data leak’ proves cyber reporting needs to do better

Australian food services company Patties Foods has responded to multiple media reports that it has suffered a data breach.

According to a Patties Foods spokesperson, this was not a data breach as such, but rather a case of data exposure on behalf of a third party – and one that has been quickly addressed at that.

The news of a data breach spread following a report from cyber security analyst Jeremiah Fowler on Website Planet, a news and reviews site for which Fowler regularly writes. This report was widely shared with the media on 5 June, in an email headed “Australian Food Services Provider Records Exposed in Data Breach”.

The article itself, titled “Australian Food Service Provider Internal Records and Invoices Exposed in Third-Party Data Breach” went into some detail about the potential records exposed, which Fowler himself found and reported to the third-party supplier in question – Sydney supply chain back office firm Provenio.ai, which does provide hosting services for Patties Foods.

However, Fowler goes into some effort in the article itself to point out that, to his knowledge and that of all parties involved, no data had actually been maliciously accessed.

“It is not known how long both databases were exposed or if anyone else may have gained access to the non-password-protected records,” Fowler said.

“Only an internal forensic audit would allow a database owner to identify any suspicious activity or other additional access.”

Having discovered the exposed database, Fowler did what any self-respecting cyber security analyst would do and reported it to Provenio.ai, which said it was taking Fowler’s notification seriously.

VIEW ALL

“I can confirm that your message has reached the relevant people, and we are taking this very seriously,” a Provenio spokesperson told Fowler.

“Thank you for notifying us, and thank you for confirming that you do not download or extract data. We have taken immediate action to rectify the issue as well as investigate how the exposure has happened. However, at this stage, it is possible that this may have happened due to human error resulting from a patch update.”

Fowler also noted that he had found what appeared to be a ransomware note, though he did not disclose which threat actor and redacted the email address of the group in question in a screenshot embedded in the article.

In a caption, Fowler again stressed there is still no evidence that any of the exposed data was actually accessed.

“I only saw the note and it is unknown if any data was backed up by cyber criminals, only the owner of the database could know for sure after an internal audit,” Fowler said.

“It is important to note that in the majority of cases, such notices are left automatically, and does not always mean that the database was directly accessed.”

After going into a long discourse on the dangers of invoice fraud – Fowler said he saw more than 25,000 invoices during his investigation – Fowler once again stressed there is no evidence of an actual data breach.

“I imply no wrongdoing by Provenio.ai or Patties Foods, nor do I claim that any customer data or vendor data was or is presently at imminent risk,” Fowler said.

As no data had been accessed nor shared by any threat actor, my colleagues and I decided not to run a story – there was more than enough other news to cover – but many other outlets did, with headlines following Fowler’s own.

“Four’N Twenty owner Patties Foods hit by data leak as invoice, banking details spill online” was The Sydney Morning Herald’s (SMH) take on the story – published the same day Fowler’s story was circulated. It did not, however, share Fowler’s statements that he had no evidence of anybody actually accessing or even noticing the data. However, the SMH did run a statement from Provenio.ai executive director Simon Lupica, who said: “The data exposure was for a short period of time and limited to a single vulnerability issue from a third-party external service, Elastic Search.”

“The vulnerability was contained and removed within hours and limited to non-sensitive data.”

A Patties Foods spokesperson also told the SMH: “According to Provenio.ai, there has been no breach or no evidence that information has been maliciously accessed.”

“We take cyber security extremely seriously and are working closely with Provenio.ai to ensure all data remains secure.

“We can confirm there has been no breach to Patties Food Group’s systems, and there is no cause for concern.”

And yet that headline clearly implies that that is exactly what happened – read it again.

“Four’N Twenty owner Patties Foods hit by data leak as invoice, banking details spill online”

Many other outlets followed suit. The Brisbane Times ran the same SMH article, with the same headline, while Mumbrella’s piece was titled “Four’N Twenty owner Patties Foods reportedly targeted in ‘data breach’”.

All this when there is not only no evidence, at the moment, of any data breach – which is generally accepted to mean that data has actually been stolen and published maliciously – but also when both companies involved have clearly denied the claims.

The only thing Patties Foods was targeted by was a white hat analyst pointing out a vulnerable database – and the media.

This is dangerous reporting. We know only too well that companies can fail in the wake of a data breach. Sometimes, the damage is material, but brand reputation is also at stake when a company finds itself in the news. Too many people only read the headlines these days, and once news breaks of a data breach, many readers will search for more information. If they google “Patties Foods data breach” and find a half dozen news stories backing that up, they will believe data has actually been compromised.

And if they’re a customer of that brand, they may well be afraid their data is at stake.

So far, the only outlet to even suggest there was no breach is Mumbrella, but “Patties Group respond to data breach claims” – which was a follow-up published today on 6 June – still doesn’t tell the whole story.

Inside, it runs the same Patties Foods denial of any data breach: “According to ProvenioAI, there has been no breach or no evidence that information has been maliciously accessed.”

Cyber security reporting is a tricky business, and it’s easy to misattribute or draw incorrect inclusions – criminal reporting, which is what this news beat essentially is – is a murky business. But data breaches, or data leaks, are a hot-button issue. They scare people, damage trust, and can hurt a company’s reputation.

So we need to get this right, and not claim a company has had its data “spill online” when there is zero evidence that it ever happened.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.