A data breach affecting food delivery company GrubHub has leaked the personal information of customers, merchants, and drivers after an unauthorized entity gained access using a third-party service provider’s account.
“We recently identified a security incident involving a third-party contractor, resulting in unauthorized access to certain user contact information,” the company stated.
GrubHub operates in over 4,000 cities across the United States and partners with over 375,000 merchants and 200,000 drivers. New York-based Wonder Group paid $650 million to acquire the food giant from Just Takeaway, which had bought the company for $7.5 billion in 2020.
In December 2024, the Illinois-based company agreed to pay $25 million to settle an FTC investigation into alleged anti-consumer and anti-competition business malpractices that “hurt almost everyone involved in the platform.”
Food delivery platform GrubHub confirms data breach
GrubHub said it took immediate action to contain the incident and hired an external cyber forensics team to investigate the incident. It also disabled the breached third-party provider’s account to terminate the threat actor’s access and rotated passwords for certain systems.
For now, the food delivery company believes the data breach was resolved and has implemented additional anomaly detection systems to prevent a similar incident.
“We have taken decisive steps to further secure our systems and are actively strengthening our security controls to prevent similar incidents in the future,” GrubHub said.
However, the company determined that the attacker accessed the contact information of campus diners, merchants, and drivers, who had contacted customer support as the data breach involved a third-party customer service provider. The campus dining program allows students to order from the platform on or off-campus across the United States.
The data breach also leaked the names, email addresses, phone numbers, and partial credit card data consisting of card type and last four digit number for some individuals. While partial credit card numbers are unusable, when combined with the exposed victims’ contact information, it puts them at risk of compelling phishing attacks.
GrubHub also disclosed that the attacker also accessed hashed passwords for certain legacy systems, prompting the food delivery company to advise users to change their passwords with unique and strong passphrases.
“The unauthorized party also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords that we believed might have been at risk,” the company said.
However, the attacker did not steal GrubHub Marketplace customer passwords, merchants’ login credentials, full payment card and bank account information, Social Security Numbers, or driver’s license numbers.
Meanwhile, the number of data breach victims and when the cyber intrusion occurred remain unreported, as is the threat actor’s identity. The food delivery company has also not reported receiving any ransom demands.
Third-party breaches pose significant security risks
It remains unclear how the attacker gained access to the service provider’s account, although compromised credentials and phishing are the most likely tactics.
Evidently, third party partners pose a significant security risk to primary organizations by expanding the attack surface, thus underscoring the need to vet their cybersecurity practices and enforcing multi-factor authentication (MFA) to grant access.
“The confirmed GrubHub data breach underscores the critical vulnerabilities inherent in third-party partnerships,” reiterated Steve Cobb, CISO at SecurityScorecard. “Attackers exploited an account from a service provider to infiltrate GrubHub’s systems, compromising the personal information of customers, merchants, and drivers, including partial payment information.”
“This incident highlights the domino effect a single compromised vendor can have on an entire ecosystem, acting as a stark reminder that traditional reactive security measures are insufficient in today’s threat landscape,” added Cobb. “To mitigate such risks, organizations must adopt a proactive approach to third-party risk management. Implementing supply chain detection and response for real-time data allows security teams to collaborate effectively with their partners and reduce cyber risk across the supply chain.”
Food distributors targeted by cyber attacks
Food distributors are frequently the targets of cyber attacks due to the vast amount of personal and financial information they collect.
In 2020, cybercriminals also attacked German food delivery service Liefrando using distributed denial of service attacks (DDoS) and demanded two bitcoins as ransom. Delivery Hero also suffered a cyber attack that disrupted food distribution across 14 countries.
In May 2019, food delivery giant DoorDash also experienced unauthorized access that compromised over 5 million records.
