Food delivery service DoorDash has announced that it recently suffered a data breach involving a third-party service provider that compromised personal and limited financial information of approximately 4.9 million consumers and merchants who joined its platform on or before April 5, 2018.
DoorDash announced in a blog post the security incident took place on May 4 this year when an unauthorised person gained access to detailed profile information of millions of customers who have been with the platform for over a year.
Personal information of customers that was compromised by the incident included names, email addresses, delivery addresses, order history, phone numbers, and hashed passwords. The unauthorised party also accessed limited financial information of customers such as the last four digits of consumer payment cards and the last four digits of their bank account number. DoorDash said that such limited details will not allow cyber criminals to make fraudulent charges on payment cards or make fraudulent withdrawals from bank accounts.
The company also admitted that the driver's license numbers of approximately 100,000 Dashers were also accessed by unauthorised individuals.
"Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred.
"We were subsequently able to determine that an unauthorised third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users," it said.
4.9 million DoorDash customers vulnerable to phishing attacks & identity fraud
According to DoorDash, consumers and merchants who joined its platform after April 5, 2018 are not affected by the security incident and even though all customers and merchants who joined prior to that date were not affected, the company is advising all such customers, Dashers, and merchants to change their account passwords immediately.
"We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats," the company added.
According to Erich Kron, security awareness advocate for KnowBe4, by using information from this breach, attackers could create a very convincing phishing email using your name, email address and phone number, along with the last four digits of the credit card and trick a person into believing it was legitimate. This is even worse for delivery drivers who have had their drivers' license number also compromised.
"The fact that this data has been available for so long before people were notified is unfortunate, especially when customers had reported suspicious activity so long ago. If you have ever wondered how scammers get the information they use to call people claiming that their Social Security Number is suspended, or that the IRS is going to arrest them, this is one way that it happens," he adds.
Jan van Vliet, Vice President and General Manager EMEA at Digital Guardian, says that Cyber security programs should ensure that emphasis is placed on the security of the data itself – and not just on networks, servers and applications. Shifting the focus towards identifying, controlling and securing sensitive data assets may not prevent a cyber breach, but it will minimise data loss – and hopefully the need to admit you should have known better.