Grant West and Rachael Brooks are facing jail time for conning hundreds of thousands of Just Eat customers out of their personal data in 2015 by sending them phishing emails that looked like Just Eat survey emails.
The couple using the phishing scam to obtain personal and financial details of thousands of Just Eat customers before selling such details to fellow cyber criminals on the Dark Web.
After obtaining details of Just Eat customers by hacking into a server owned by the firm, Grant West and Rachael Brooks sent out phishing emails to hundreds of thousands of people, asking them to respond to a survey and to fill in their personal and financial details in a form in exchange of ten-pound rewards.
Widespread phishing scam
The campaign worked flawlessly for the couple- for they were able to con as many as 165,000 Brits out of their personal and financial details like names, addresses, email addresses, passwords, and CVV numbers. These details were them put up by the couple for sale on the Dark Web.
Just Eat had to spend in the range of £210,000 in mitigation costs after the fraudulent campaign was discovered. The couple has admitted to the crime before the Southwark Crown Court.
“They wanted to carry out fraudulent actions. This was a sophisticated and organised agreement and planned. It is not suggested that this defendant was the mastermind, that was Grant West. He pleaded guilty and can rightly be called an expert.
“Just Eat is an online delivery company. It holds a database which has the confidential details such as names and payment records. The defendant was involved in the hacking into the database. Then the fraud was then the use of email addresses to send out, ‘phishing emails’,” said Kevin Barry, the prosecutor.
“The customers were asked to complete a survey, but the emails were never sent back to Just Eat. They went to the fraudsters. This data was then used to get more information about the Just Eat customers. Complete sets of information are known as, ‘Fullz’. This is then used by the criminal minded to carry out fraud.
“It is of intrinsic value to them and often traded in massive quantities. When on the Dark Web each data is given a value, and this can be just a few pence or thousands of pounds. The prosecution say that was the ultimate purpose of the fraud. They wanted to benefit from selling personal details,” he added.
Mitigating the damage
Following the couple’s conviction, Just Eat said that it doesn’t store customer card details on its website and that all payments are managed securely by an independent, external payment service provider.
It added that while both Just Eat customers and non-customers were affected by the phishing scam, none of its systems were compromised or breached.
Just Eat isn’t the only food delivery service that has been targeted by hackers. In late 2016, suspected hackers gained access to Deliveroo customers’ accounts and used such accounts to purchase food from the app. Deliveroo allowed customers to store their payment information in the app and the same was exploited by the hackers.
“These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone’s account,” the firm said.