weerapat1003 - stock.adobe.com

Five million DoorDash customers’ details lost in data breach

Takeaway delivery service was breached in May 2019, resulting in the data of millions of users and delivery drivers being stolen

Gig economy takeaway service DoorDash, which competes with apps such as Deliveroo and Uber Eats for home delivery services in the US and Canada, has admitted that the details of 4.9 million customers and  riders, known as Dashers, have been compromised in a breach that happened in May 2019.

DoorDash said it became aware in September that an “unauthorised third party” had accessed user data on 4 May this year. All of the victims either used or worked for DoorDash before 5 April 2018 – users who joined after that date are not affected.

The compromised data includes names, email addresses, home addresses, order histories, phone numbers, and hashed and salted passwords. Full credit card information, such as CVV numbers needed for verification, was not accessed. In the case of its workforce, about 100,000 Dashers also had their bank account details and driver’s licence numbers stolen.

DoorDash does not currently have a UK presence, but that is not to say that Britons and other Europeans resident in or visiting the US or Canada who have used the service were not affected. All affected users either have been or will be contacted, but all are encouraged to reset their passwords.

“We take the security of our community very seriously,” said DoorDash in a statement. “Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We took immediate steps to block further access by the unauthorised third party and to enhance security across our platform.

“We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats.”

Ben Goodman, senior vice-president of global business and corporate development at ForgeRock, said the DoorDash breach contained lessons on the importance of identifying and rectifying security incidents in a timely way.

He said it was unclear how or why it took almost five months for DoorDash to detect the breach, and this meant the firm could incur significant fines for not addressing the incident more promptly.

To maintain employee and user trust, and avoid legal consequences, applications and all other companies need to be more proactive in identifying and notifying customers of breaches, leaks or any other security vulnerabilities,” said Goodman.

“Additionally, this breach could have been avoided if DoorDash had leveraged modern and comprehensive identity access management (IAM) tools. IAM tools can provide organisations with ongoing, contextual security that prompts further identity verification, such as 2FA or MFA, when an unauthorised or unknown user attempts to access a database. With these in place, organisations ensure the safety of their data, employees, partners and customers.”

Read more about data breaches

ImmuniWeb’s Ilia Kolochenko said: “It would be premature to make any conclusions about the origins of the breach prior to a detailed technical investigation assisted by law enforcement agencies. Breach or data theft by a trusted third party, such as supplier or data analytics company, are nonetheless quite possible.

“Risks affiliated to insecure or careless third parties is an Achilles’ heel of most modern companies and organisations. The problem is that monitoring and proper enforcement of third-party cyber security is exorbitantly expensive and most companies, including the largest ones, simply cannot afford it. 

“Affected users should urgently change their passwords if they were not absolutely unique and contact credit monitoring agencies. Later, they will likely be able to get and accept a compensation proposal, join a class action or file an individual lawsuit to recover their losses. Pragmatically speaking, in this case, the first avenue may be the most profitable one if we compare legal costs and required time with the gain.”

Bitglass CTO Anurag Kahol added: “As just one step in trying to control the damage, impacted users should change their passwords on all the accounts where they used these now-exposed credentials. Unfortunately, changing phone numbers and home or work addresses is not quite as easy.

“This event demonstrates why it is crucial for companies to do a better job of protecting data – particularly when so much of their business is conducted via the cloud and through digital services. Security solutions that enforce real-time access control, manage the sharing of data with external parties, encrypt data at rest and prevent data leakage are critical for any organisation’s cyber security programme.”

Earlier this year, DoorDash was the subject of controversy after investigative journalists found evidence that it was cheating its gig economy workforce out of their tips, a serious issue in the US, where employee protection and minimum wage legislation are often poor or non-existent, which frequently means hospitality sector workers are forced to rely on tips to make a living wage.

Read more on Data breach incident management and recovery

Data Center
Data Management