Hershey warns of data breach following phishing attack

The American manufacturer of popular sweets such as Kit Kat and Reese's Peanut Butter Cups told regulators that more than 2,200 people were potentially affected by a data breach after hackers gained access to some of the company’s email accounts.

The Hershey Company submitted a security notification to the Maine Attorney General's office on Friday about a breach that occurred at the beginning of September and was promptly detected.

In an example of a letter sent to targeted individuals, Hershey said that hackers gained access to “a limited number” of the company’s email accounts and “may have had access to certain personal information.” The company classified the incident as a phishing campaign.

The stolen data “varied from person-to-person,” according to Hershey, but may have included personal information such as first and last names, health and medical information, digital signatures, contact information, driver’s license numbers, credit card numbers, and credentials for online accounts and financial accounts including routing numbers.

The company said that it doesn’t have evidence that any information “was acquired or misused” by the cybercriminals.

Hershey is now investigating the attack with security researchers and said it took steps to prevent similar events in the future, including forced password changes.

This is not the first time Hershey has been targeted by hackers. In 2011, cybercriminals penetrated its server and altered one of the baking recipes posted on the company’s recipe website. This server also stored consumer registration information, including email addresses, birthdates, and street addresses.

In June of this year, Mondelez — the American manufacturer of Oreo cookies and Milka chocolate — also had some of its employees' data compromised by hackers following a breach at the law firm Bryan Cave, which provides legal services to the firm.