Full Report
In May 2025, 160k records of customer data was allegedly obtained from Creams Cafe, "the UK's favourite dessert parlour". The data included email and physical addresses, names and phone numbers. Creams Cafe did not respond to repeated attempts to disclose the incident, however multiple impacted HIBP subscribers confirmed the legitimacy and accuracy of the data.
Analysis Summary
# Incident Report: Creams Cafe Customer Data Breach (May 2025)
## Executive Summary
In May 2025, sensitive customer data belonging to Creams Cafe, a UK dessert parlour, was compromised, exposing approximately 160,000 records. The breach involved common PII such as names, email addresses, phone numbers, and physical addresses. The incident was made public via Have I Been Pwned (HIBP) subscribers confirming the data accuracy, though the organization itself did not disclose the event.
## Incident Details
- **Discovery Date:** July 23, 2025 (Date added to HIBP)
- **Incident Date:** May 2025
- **Affected Organization:** Creams Cafe
- **Sector:** Food Service / Retail
- **Geography:** UK (Inferred from context: "UK's favourite dessert parlour")
## Timeline of Events
### Initial Access
- **Date/Time:** May 2025 (Exact date unknown)
- **Vector:** Not explicitly detailed in the overview.
- **Details:** Attackers successfully obtained a dataset containing customer information.
### Lateral Movement
- *No details provided regarding lateral movement.*
### Data Exfiltration/Impact
- **Details:** Approximately 159,700 customer records were exfiltrated.
- **Data Exposed:** Email addresses, names, phone numbers, and physical addresses.
### Detection & Response
- **Detection:** Indirectly via data appearing in the Have I Been Pwned database, confirmed by affected subscribers.
- **Response Actions:** The article only suggests *user-side* actions (change passwords, enable 2FA). Organization response details are not available due to lack of disclosure.
## Attack Methodology
- **Initial Access:** Unknown Intrusion Vector.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown (Passwords were not explicitly listed as compromised data, but user advice suggests changing passwords).
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** PII data extraction.
- **Exfiltration:** Data transferred out of the network environment.
- **Impact:** Unauthorized disclosure of customer Personally Identifiable Information (PII).
## Impact Assessment
- **Financial:** Unknown (No company statements available).
- **Data Breach:** Exposure of approximately 159.7k customer records, including names, emails, physical addresses, and phone numbers.
- **Operational:** Unknown extent of disruption to Creams Cafe operations.
- **Reputational:** Negative exposure via public confirmation on HIBP and lack of public disclosure from the company.
## Indicators of Compromise
- **Network Indicators:** None provided (defanged).
- **File Indicators:** None provided.
- **Behavioral Indicators:** The presence of bulk PII in external breach aggregators.
## Response Actions
- **Containment:** Unknown.
- **Eradication:** Unknown.
- **Recovery:** Unknown.
*Note: The advice provided focuses on remediation for end-users, not the organization.*
## Lessons Learned
- **Key Takeaways:** Customer data, including PII like physical addresses and phone numbers, was stored in a manner susceptible to bulk theft.
- **What could have been done better:** The organization failed to disclose the incident proactively, relying on third-party confirmation to bring the breach to light.
## Recommendations
- Implement robust data minimization practices to ensure only necessary PII is stored.
- Review access controls and monitoring to detect large-scale data extraction activities.
- Establish a transparent breach communication plan, disclosing incidents promptly.
- Users should change passwords related to Creams Cafe and enable Two-Factor Authentication (where available).