The delivery service confirmed an unauthorized third party accessed user data last spring.
DoorDash's latest data breach compromised the data of 4.9 million users. The delivery service confirmed the breach in statement on September 26. Everyone from customers to dashers and merchants were affected.
“We deeply regret the frustration and inconvenience that this may cause you,” the company said in a statement. “Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy.”
The company confirmed an unauthorized third party had access to DoorDash user data on May 4. Since identifying the breach, the company launched an investigation about the incident while enhancing security across the platform.
“Breaches of company data due to security failures of their third-party providers are going to continue at an increasing rate until companies own up to doing the work necessary to effectively manage vendor risk,” RiskRecon’s CEO Kelly White said in an email.
While not every DoorDash user was affected by the breach, any “consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, was affected,” the company said in a statement. The unauthorized party had access to names, email addresses, delivery addresses, order history, and phone numbers.
During the breach, the hackers were able to access the last four digits of consumer payment cards. However, “full credit card information such as full payment card numbers or a CVV was not accessed,” DoorDash said. The information breach should be too insufficient for the hackers to make fraudulent charges on consumer payment cards.
For merchants and Dashers, the unauthorized party gained access to the last four digits of their bank account number. DoorDash said full bank account information wasn’t accessed and hackers should not be able to make fraudulent withdrawals from the bank account. In addition to bank accounts, the unauthorized party had access to the driver’s license numbers of about 100,000 Dashers.
Since the breach, DoorDash alerted affected users about what information the hackers accessed. The company does not believe the hackers had access to user passwords because hackers could only see hashed, salted passwords—a form of rendering the actual password indecipherable to third parties. However, DoorDash recommends users to change their passwords as a precaution.
“We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats,” the company said in a statement.
Even though hackers didn’t have access to the full account numbers or complete payment card information they could still leverage the data they did access to scam users in the future, Ray Walsh, digital privacy advocate at ProPrivacy, added in an email.
“The diverse assortment of data that has been stolen could easily allow hackers to engage in identity theft and might result in DoorDash customers being targeted by spear-phishing campaigns designed to prise more data from them,” Walsh said. “DoorDash has admitted that the last four digits of some customers' card details have been exposed, meaning that hackers could attempt to trick users into providing the rest of their details using sophisticated phishing attempts.”
Cyberattacks have been on the rise for restaurants in general. Recognizable institutions, including PDQ, Huddle House, Checkers & Rally’s, Buca di Beppo, Planet Hollywood, Caribou Coffee, Dunkin’, Panera Bread, PF Chang’s, Applebee’s, Sonic Drive-In, Chipotle, Pizza Hut, and Wendy’s, among many others have been breached over the past few years. With many points of access—point-of-sales systems, websites, apps, and now delivery services—hackers can target restaurants from many different entry points.
Without proper cybersecurity, consumers and restaurants are vulnerable to breaches.
“Companies must verify the quality of their vendor cybersecurity through direct evidence, enabling them to gain the transparency necessary to understand their risk and hold their vendors to better cybersecurity performance,” White said.