Grubhub, the popular U.S. food delivery giant, confirmed a security breach that impacted the personal information of customers, merchants, and drivers. The company disclosed that hackers gained unauthorized access to its systems through a third-party service provider. The breach affected users who had interacted with Grubhub’s customer care service, including those using its Campus Dining service. Grubhub did not specify the number of individuals impacted or when the incident took place.
The personal data compromised in the attack included names, email addresses, phone numbers, and partial payment card details for some campus diners.
The hackers also gained access to hashed passwords from certain legacy systems. However, Grubhub clarified that sensitive financial information such as bank account numbers and Social Security numbers was not exposed during the breach.
Upon discovering the unusual activity, Grubhub immediately initiated an investigation and identified the source of the breach. The company quickly terminated the account associated with the compromised provider and removed it from its network entirely to prevent further unauthorized access. The breach highlights the growing risk of third-party service providers being targeted as an entry point for cyberattacks.
Grubhub’s acquisition by Wonder Group in 2024 for $650 million, after being sold by Just Eat Takeaway in 2020, has not shielded it from such cyber incidents. The breach raises concerns about the company’s ability to protect sensitive user data, especially considering the large number of users on its platform. Grubhub’s response, while swift, emphasizes the need for businesses to continuously monitor third-party connections to safeguard against similar breaches.
Reference: