San Francisco–based food delivery company DoorDash has confirmed a data breach, in which the information of their 4.9 million customers, delivery workers and merchants were stolen by hackers.
The disclosure comes exactly a year after another instance in which dozens of people complained that their DoorDash accounts were improperly accessed and had fraudulent food deliveries charged to their account.
"Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred," said a company blog post.
"We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on 4 May. We took immediate steps to block further access by the unauthorised third party and to enhance security across our platform."
The data stolen include names, email addresses, delivery addresses, order history, phone numbers, as well as hashed and salted passwords. The last four digits of consumer payment cards and bank account numbers of some customers were also stolen. However, the information accessed is not sufficient to make fraudulent charges on payment cards or withdrawals from their bank account, clarified the company.
"With this being the second major breach reported by DoorDash in a relatively short time-frame, it’s clear that lessons haven't been learned," said Richard Cassidy, senior director of security strategy at Exabeam.
"Customers, delivery workers, and merchants impacted by this DoorDash incident are now vulnerable to the sinister designs of hackers both now and in the future. Malicious parties can use payment card information and personally identifiable information (PII) to make fraudulent purchases, to make a sale on the dark web for a quick profit, and much more," said Bitglass CTO Anurag Kahol.
"Additionally, a staggering 59 percent of consumers reuse passwords across multiple accounts. This means that if a cyber-criminal appropriates a single password, then they can potentially gain access to a user's accounts across a number of services wherein said password is reused," he said.
The company has asked the users to reset their passwords to one that is unique to DoorDash. "Unfortunately, changing phone numbers and home or work addresses is not quite as easy," Kahol said.
"This event demonstrates why it is crucial for companies to do a better job at protecting data – particularly when so much of their business is conducted via the cloud and through digital services. Security solutions that enforce real-time access control, manage the sharing of data with external parties, encrypt data at rest, and prevent data leakage are critical for any organisation’s cyber-security programme," he added.
Data thefts like these pose a greater risk than card fraud or bank account access, said Rosemary O'Neill, customer delivery director at NuData Security.
"Data in the wrong hands – especially personally identifiable information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cyber-criminals and used for a myriad of criminal activities, both on the Internet and in the physical world," she said.
The company has assured that additional layers of security is in place.
"We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats," said the blog post.
Companies can make the stolen valueless by detecting and preventing the future use of it, suggested O'Neill.
"Companies can use technologies that detect when this data is being used. Most of the times, the data is used on automated attacks that can be detected with good bot-detection and behavior evaluation tools. Additionally, technologies that look at inherent user patterns like passive biometrics add to security by flagging when the right information is presented for a user, but that user is behaving unusually. The balance of power will return to customer protection when more companies implement such techniques and technology," she explained.
Most of the data privacy breaches that happened recently could have been prevented or limited with cyber-security programmes that focus on the security of the data itself, and not just on networks, servers and applications, noted Jan van Vliet, vice-president and general manager-EMEA at Digital Guardian.
"Shifting the focus towards identifying, controlling and securing sensitive data assets may not prevent a cyber-breach, but it will minimise data loss – and hopefully the need to admit you should have known better," van Vliet said.
Communication is the most critical element in breach situations like these, agrees Exabeam’s Cassidy
"When customer personally identifiable information (PII) is believed to have been breached, or at risk as a result of a suspected breach, consumer and industry confidence can only be salvaged through transparency. The challenge with delaying breach (or potential breach) communication is in the increased risk of further compromise to those affected; cyber-criminals will undoubtedly capitalise on any gathered PII to facilitate more targeted campaigns, such as phishing or further identity based theft attacks," he explained.