Hershey hacked by attacker who changes recipe rather than steal data
Hershey hacked by attacker who changes recipe rather than steal data

A hacker managed to penetrate the website of confectionary giant Hershey and change a recipe.

While the hacker left without taking any financial data, it is possible that passwords, email addresses, mailing addresses and birthdays of any consumer that registered on the site could have been accessed as they were stored on the same server as the recipe.

In an email to customers, Hershey did not reveal which particular baking recipe the hackers altered, although it did say that there was ‘no indication' that the data had been accessed.

It said: “Consumers rely on us for this information, and we take the quality of our baking and cooking recipes very seriously. We have corrected the issue and taken steps to enhance the security of this information. We have thoroughly investigated the situation and reviewed the recipes on this site to ensure their quality.”

Shannon Simpson, sales and marketing director at CNS, said: “Hackers are not always looking to expose companies, but often to embarrass them or highlight vulnerabilities. The implication of a defaced website is usually that security vulnerabilities exist.

“Whilst it might be easy to dismiss the Hershey's recipe hack, it does raise questions about how to secure data and what to do in the event of a breach. We recommend that all businesses start with a review of the data they're holding, look at the architecture of your environment, categorise information and protect it according to its value and risk of loss.

“Ask whether the business really needs to hold the data itself or even ask for the information in the first place? There's obviously a difference between recipe information and client bank details, this needs to be reflected in your approach to data security. If the business is storing sensitive information, use one way encryption; for defacements, file integrity monitoring will let you know when information has changed which you need to investigate.

“Finally, consider disposing of data. If you don't need it, get rid of it. Having less to lose will obviously reduce the impact of an attack.”