Grubhub Data Breach Exposes Personal Details of Customers and Drivers

U.S. food delivery giant Grubhub has confirmed that hackers accessed the personal details of customers and drivers after breaching its internal systems. The breach has exposed sensitive information, including names, email addresses, phone numbers, and partial payment card information.

Grubhub’s Popular Food-Ordering and Delivery Platform

Grubhub is a well-established food-ordering and delivery platform with over 375,000 merchants and 200,000 delivery providers using its platform in more than 4,000 U.S. cities. New York-based Wonder Group acquired the company last fall in a deal valued at $650 million.

Background of the Acquisition

Grubhub was previously acquired by Just Eat Takeaway in 2020 for $7.3 billion. However, Wonder Group acquired the company in a significantly lower deal.

Grubhub Discloses Data Breach

On Monday, Grubhub disclosed a data breach impacting the personal data of an undisclosed number of customers, merchants, and drivers. The company detected “unusual activity” in its network, which it traced to a third-party service provider.

Grubhub’s Response to the Breach

Grubhub said it promptly launched an investigation, identifying unauthorized access to an account associated with the third-party service provider. The company immediately terminated the account’s access and removed the service provider from its systems altogether.

Impact of the Breach

The intrusion allowed unnamed hackers to access the personal details of customers, merchants, and drivers who interacted with Grubhub’s customer care service. The breach also affected users of Grubhub’s Campus Dining service, which allows university students to use their meal credits on the food delivery app.

Personal Details Exposed

According to Grubhub, personal details accessed include names, email addresses, phone numbers, and partial payment card information — including the last four digits of the card number — for a “subset” of campus diners. The hacker also accessed hashed passwords for certain legacy systems, but bank account details and Social Security numbers were not affected by the breach.

Uncertainty Surrounds the Breach

Grubhub has not disclosed how many individuals have been affected by the breach or when the incident occurred. The company did not immediately respond to TechCrunch’s questions.