Hershey phishes! Crooks snarf chocolate lovers' creds

There's no sugarcoating this news: The Hershey Company has disclosed cyber crooks gobbled up 2,214 people's financial information following a phishing campaign that netted the chocolate maker's data.

According to a security notification filed with the Maine Attorney General's office, the phishing emails landed in employees' inboxes in early September. From that point on, it sounds like accessing private data was as easy as stealing candy from a baby.

The other Chocolate Factory did not immediately respond to The Register's questions.

In a letter sent to affected individuals, Hershey says it recently wrapped up its investigation, and says the thief "may have had access to certain personal information," but adds (not-so-reassuringly) that there is "no evidence that any information was acquired or misused." [PDF]

This data included first and last names, health and medical information, health insurance information, digital signatures, dates of birth, addresses and contact information, driver's license numbers, credit card numbers with passcodes or security codes, and credentials for online accounts and financial accounts including routing numbers.

Basically, the crooks accessed anything they need for all types of evil deeds with old-fashioned financial theft likely topping the list..

"Upon learning of the incident, Hershey worked to block the unauthorized user's access and confirm that the affected Hershey accounts were no longer in use by the unauthorized user," according to the breach notification letters.

• New Relic's cyber-something revealed as attack on staging systems, some users
• Scores of US credit unions offline after ransomware infects backend cloud outfit
• Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks
• Black Basta ransomware operation nets over $100M from victims in less than two years

Hershey also says it worked with "multiple third parties" to clean up the sticky mess, including a forensic provider.

"We also have taken steps to enhance our data security measures to prevent the occurrence of a similar event in the future, including forced password changes and additional detection safeguards to our corporate email environment," the letter adds.

And, while the candy maker has "no reason to believe" that the data thieves have misused the stolen data, Hershey is offering affected individuals the traditional two free years of Experian IdentityWorks. Unfortunately, the company didn't sweeten the deal by throwing in some complimentary chocolate.

Hershey joins the ranks of high-profile intrusions that occurred in early September, and include Las Vegas casino giants Caesars Entertainment and MGM Resorts, both of whom suffered network intrusions and extortion demands around this same time.

Criminals haven't shown any signs of slowing down as the end of the year approaches, with organizations ranging from web tracking and analytics firm New Relic, to 60 US credit unions, and the British Library reporting problems in the last few weeks. ®