Home Chef: Informing Customers of a Data Breach (2020)

Home Chef is a meal kit company that delivers ingredients and recipes to their customers house so they can make fresh, homecooked, meals easily and without having to go out for groceries. Before the Covid-19 pandemic and lockdown, Home Chef and all meal kit companies were struggling for users in an over-saturated market. But with everyone stuck at home, more and more people turned to meal kits, and Home Chef say its user base skyrocket. Around this time, a report from Bleeping Computer found that someone was selling user data from 11 different companies on the dark web, including 8 million Home Chef users. Home Chef took two weeks to acknowledge the leak and inform customers that their data may have been compromised, leaving them vulnerable to credit card fraud and other cybercrimes.

By taking two weeks to respond to the leak and inform their customers, Home Chef is ethically in the wrong. While what they did was legally acceptable due to holes in the laws around data breaches, this response goes against the ethical theories of Utilitarianism, Kantianism, and Virtue theory. 

Going forward, Home Chef needs to acknowledge their fault in taking so long to report the leak and start working to gain back the trust of their users. They should update their mission statement and core values to reference that they are working to re-earn trust. They need to be more transparent about what they are doing to fix the problem and ensure that it does not happen again.

Company Background

Home Chef is a US based, meal kit and food delivery service. They send boxes of ingredients to their subscribers so that they can make a fresh meal. To do this they need data about their customers such as addresses, credit card information, and purchase history.

Before the pandemic, meal kits were struggling to stay in business. The market was way over saturated. Meal kits such as TV diners have existed for decades, but modern delivery kits create unnecessary problems to make an unneeded solution. People have to give up control and spontaneity which actually makes their lives less convenient unlike what the providers advertise. Actually, come out to be way more expensive then they seem. [1] It seemed as though Home Chef and other meal kit companies were going to go out of business.

A sample Home Chef meal kit.

Before the Covid19 pandemic, meal kit companies such as Home Chef, Blue Apron and others had been losing users and market share for the past couple years. But because of the pandemic, interest in them have skyrocketed. Companies are reporting doubling their number of users, and their stock is up 400%. Many other companies are getting in on the trend including traditional restaurants like Panera and Chick-fil-a. Customers are willing to spend more because of the convenience and something new while they were stuck in home. [2]

The Case

On May 14^th, 2020, it was reported that a hacker was selling user records from 11 different companies on the dark web. This included data for 8 million Home Chef customers. He was selling them for $500-$2500. This information includes a user's email, encrypted password, last four digits of their credit card, gender, age, subscription information, and more. 2 weeks later, on May 20^th, Home Chef acknowledged the breach. [3]

Home Chef acknowledged that it had recently learned of a breach in user data. Data leaked included: Email address, name and phone number, encrypted passwords, the last four digits of credit card numbers and other account information such as frequency of deliveries and mailing address. Home chef said it does not store complete credit or debit card info. They are “taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents.” [4]

A sample of the leaked data. Information has been blurred out to protect users

Because data breaches are a relative new problem, there has not been much done to determine the ethics of a data breach. Most breaches are caused by malware, programs that get into servers and steal info, or social engineering, where users are tricked into giving away their info. Hacker usually use a combination of the two. Businesses need to be ready for these attacks. Because they require so much information for even a basic transaction, the consumer needs to be able to trust the company with their data. Corporations do not want to take responsibility for the data breaches and often underestimate how bad they can affect customers. Companies need to inform customers when they know a breach has occurred and should have security in place to try and prevent breaches. These include infrastructure, active monitoring, and education. Consumer lawsuits may help make companies more responsible with user data. [5] In the case of Home Chef, because they were not obviously negligent with the data, they are not getting in legal trouble, but the millions of users who were impacted are not happy with Home Chef’s response.

The timeline of the Home Chef Data Breach

Stakeholders

            Many people were affected by Home Chef’s data breach, and their response or lack thereof. The most obvious being the 8 million people whose information was put up for sale on the dark web. Have their personal information for sale for two weeks without them knowing before they could change it could impact their security. Other Home Chef users are also impacted, as they will have to decide whether they trust Home Chef enough to continue using their service. Finally, the shareholders and high-ranking people in Home Chef are affected as they will have to improve their data security and brand image going forward as their stocks took a hit.

Individualism Ethical Analysis

Individualism is an ethical theory that says the goal of businesses are to maximize profit within the law. They should do whatever they can do make money, as long as it is legal. Managers are supposed to prioritize making profit over anything else to help the free market.

For the Home Chef data breach case, not telling the customers as soon as possible is a good option under the individualism theory. Because cybercrime and data breaches are a relatively new problem, the laws regarding the responsibility of the company that got hacked are somewhat open to debate. As long as the company had some sort of data protection system set up and were not being negligent, they are not held responsible of the leak. In terms of notifying customers, the company is supposed to notify customers as soon as they can verify that there was a data leak. But without a metaphorical smoking gun, like an email chain discussing the leak, it is impossible to know when the company verified the leak and how fast their response was. Even though the leak was independently reported two weeks before Home Chef made a statement, they are not in any legal trouble if they say that the report was just a rumor and they were unable to verify what happened until when they made the announcement. Therefore, Home Chef did not technically break any laws.

By delaying telling customers it was more likely that they would make more purchases and continue to give their business to Home Chef. And since meal kit user numbers were skyrocketing during the first wave of the pandemic lockdown, by delaying the announcement, Home Chef gained many more users during those two weeks who otherwise may not have signed up if they were concerned about the security of their data. That is how Home Chef maximized profit within the law by taking two weeks to acknowledge the leak.

Utilitarianism Ethical Analysis

Utilitarianism is an ethical theory that says the most important thing is maximizing the long-term happiness for the most amount the stakeholders. Under utilitarianism, no one person’s happiness is more important than anyone else. The good of the many is the most important thing.

 In terms of the Home Chef data breach controversy, the stake holders are the customers, both the ones who had their data leaked and the ones who didn’t, the stock holders of Home Chef, and the owners and upper management of Home Chef and its parent company Kroger. The action of taking two weeks to tell customers about the leak is not acceptable form a utilitarianism perspective. Customers were not happy that their data was leaked and available for two weeks before they were informed about what happened so that they could change their password and cancel credit cards. Upper management and stockholders were happy in the short term because they continued to gain customers, and keep the customers who data was stolen, over the two weeks that they did not announce the leak, and stocks continued to rise. But in the long term, they are unhappy because they had to announce it eventually which hurt their reputation and caused them to lose customers who were upset about not being told right away.

A better alternative would have been for the company to announce the breach as soon as it was reported. Customers would have been much happier because they would have been able to change passwords and cancel cards sooner to lessen the chances of something bad happening to them. Stockholders and owners may have been less happy in the short term as they may have lost some business for a little bit, but in the long term people would be more likely to be for giving because they took quick action to fix the problem and take responsibility.

Kantianism Ethical Analysis

Kantianism is an ethical theory that believe the most important thing is a person’s rationality. Lying is against Kantianism because it disrespects another person’s rationality. Kant created the formula of humanity that states that a person must always be treated as an end, never as a mere means. That means people and their rationality must be respected and their feelings and options considered. While it is ok to use them as a means to get to an end, they cannot be treated as a mere means, as something that only exists to help reach a goal. They must always be treated as a human being who is valuable as themselves, not just for what they can do to help reach an end.

By not telling customers that their data was leaked right away, Home Chef disrespected their rationality and treated them as a mere means, only caring about how many meals they order. A rational person would cancel their cards and change passwords as soon as they knew their data was leaked. By not telling the customers, Home Chef prevented them from being able to take the rational action required for the situation. Home Chef continued to profit off those users while preventing them from being able to make rational decisions. They were treating their customers as a mere means to selling meals, making profits, and improving their stock. They were not respecting the customer as a rational being who is valuable as themselves and were being hurt by have Home Chef withhold valuable information about their data from them. 

Virtue Theory Ethical Analysis

Virtue Theory hinges on the four cardinal virtues of courage, honesty, temperance, and justice. According to virtue theory, these four things are the most important values that people, and companies should live by, and if one is missing, they are all lacking. Courage is the company being able to take risks and think outside the box. Honesty is always telling the truth and allowing consumers to make informed decisions. Temperance is having reasonable goals for the company and not pushing employees too hard to do something unreasonable. And justice is having fair practices.

The most obvious virtue lacking in Home Chef’s response to the leak in honesty. Lying by omission is still lying which is the opposite of honesty. Consumers were not able to make informed decisions because they did not have all the necessary information.  They were also lacking in courage. They were afraid they would lose customers and business by telling them right away about the leak, so they kept it quiet for two weeks which is wrong. This is also against justice because not telling one’s customers that their data was stolen is not a fair business practice. Finally Home Chef was lacking in temperance by being complacent with their data security and expecting it to always be able to stand up to hackers instead of constantly looking to improve it, which is needed in today’s cyber age.

Justified Ethics

Home Chef’s response to the data breach was not ethical. By waiting two weeks to tell customers about what happened, they left them vulnerable to having their credit cards, passwords, and social security numbers stolen and abused.  The 8 million users who had their data stolen were not happy about the delayed response. Customers were unable to do the rational thing of canceling credit cards and changing passwords because Home Chef did not tell them the pertinent information right away. What they did was lacking honesty, as they did not tell customers about the leak and were lying by omission. And while it did not break any laws, that is because the laws around cybercrime and data leaks are somewhat vague and lacking when it comes to holding the company responsible. Especially in the middle of a pandemic, when more people than ever before are using meal kits like Home Chef to provide interesting homemade meals for themselves and their families, Home Chef betrayed their customers trust by not telling them right away about the data breach and leaving them vulnerable to fraud for two weeks.

Action Plan

The current issue with Home Chef is that it let data from 8 million users get hacked and put for sale on the black market, and then took two weeks after it was reported to acknowledge it and tell their customers. While it is too late to fix their delayed response to the problem, Home Chef should to a thorough investigation of their data security protocols to ensure that it is not easy for hackers to obtain data, and set up alerts so they know as soon as there is a breach so they can notify affected customers. As for those customers already affected by the leak and delayed response, a gesture of apology such as discounts on there next couple orders to show that they are sorry, could help restore a good relationship with their customers. 

            A new mission statement for Home Chef going forward could be, ‘here at Home Chef, our priority is creating and delivering fresh meals from a company you can trust.’ This mission statement differs from their current one by focusing less on the convince of their meals and more on how they can be trusted. After leaking data of 8 million users, future customers may be warried of signing up for a company whose mission only talks about how easy they make mealtime and does not address their trust issues.

A core value for Home Chef after the data leak should be honesty. If they had been honest about the leak as soon as it happened, their users could have been able to quickly change passwords and cancel their credit card before too much damage was done. Honesty also works as a core value for their meal prep boxes. By telling customers exactly what is in each box, and letting them see all the ingredients going into their meal, they know exactly what they are eating and putting into their bodies as opposed to prepared meals that may have any number of artificial ingredients. Another core value should be security. Home Chef needs to prioritize keeping their customers data private and secure. While data breaches happen in a digital age with advanced hackers, having already suffered one should show them where the weaknesses in their system are and they should be working to improve them. Another breach in the near future would show that they did not take this first one seriously and would severely damage their relationship with customers and their public image. That is why moving forward security must be a core value. A third core value can be creativity. Customers come to Home Chef for meals that they may not have thought of or known how to make on their own. Home Chef should take advantage of this by selling meal kits for creative meals that most people do not usually experience. Especially during the pandemic where it is easy to fall into a rut of doing the same thing every day, creative meal kits is a good way to make Home Chef stand out in a saturated market and gain some goodwill back after the controversy.

            In the future, Home Chef needs to make sure employees understand the importance of honesty and accountability. When a mistake is made, employees need to be encouraged to step forward and acknowledge it. They cannot pretend like nothing is wrong like what Home Chef did for two weeks after the leak. They should also overhaul and improve their cyber security team with people more equipped to combat hackers. Home Chef must also be monitoring employees with access to user data to make sure they are not responsible for selling data to hackers and must be fired if they are caught mishandling sensitive data.

            Home Chef needs a remarking of how they are trustworthy and honest now. 8 million users are a lot of customers to lose if they are all mad about the data leak, so Home Chef needs to continue to apologize and take more responsibility for what happened. They should also say more about what they are actually doing to make sure a leak does not happen again instead of a vague ‘we are fixing the problem.’ This action plan will help Home Chef regain the trust of its users and the public after the data breach. By taking responsibility of what happened and showing visual improvement in how seriously they are taking the privacy of their users’ data, customers will be more likely to take a chance on trusting them again.

Bibliography

[1]	C. Walton, "Meal-Kit Solutions Lack One Key Ingredient: Human-Centered Design," Forbes, 19 July 2018. [Online]. Available: https://www.forbes.com/sites/christopherwalton/2018/07/19/meal-kit-solutions-lack-one-key-ingredient-human-centered-design/?sh=5d37b116524b. [Accessed 9 November 2020].
[2]	R. de Leon, "How the coronavirus pandemic delivery surge created a lifeline for Blue Apron meal kits," CNBC, 22 May 2020. [Online]. Available: https://www.cnbc.com/2020/05/22/how-coronavirus-pandemic-delivery-surge-gave-new-life-to-blue-apron.html. [Accessed 9 November 2020].
[3]	L. Abrams, "Home Chef announces data breach after hacker sells 8M user records," Bleeping Computer, 20 May 2020. [Online]. Available: https://www.bleepingcomputer.com/news/security/home-chef-announces-data-breach-after-hacker-sells-8m-user-records/. [Accessed 9 November 2020].
[4]	Home Chef, "Home Chef Data Security Incident," Relish Labs LLC, 20 May 2020. [Online]. Available: https://support.homechef.com/hc/en-us/categories/360003288251-Home-Chef-Data-Security-Incident. [Accessed 9 November 2020].
[5]	H. G. Buttrick, J. Davidson and R. J. McGowan, "The Skeleton of A Data Breach: The Ethical and Legal Concerns," 2 December 2016. [Online]. Available: https://jolt.richmond.edu/2016/12/02/the-skeleton-of-a-data-breach-the-ethical-and-legal-concerns/. [Accessed 9 November 2020].