GrubHub third-party breach exposes partial payment info


Online food delivery platform GrubHub reveals a breach of its systems via a third-party service provider has exposed the sensitive information of diners, merchants, and drivers, including some payment information and hashed passwords.

The Chicago-based takeout delivery giant announced the “third-party vendor incident” on its website Monday.

“We recently detected unusual activity within our environment traced to a third-party service provider for our Support Team… identifying unauthorized access to an account associated with this provider,” the company said, without naming the vendor.

ADVERTISEMENT

GrubHub said as soon as it became aware of the unauthorized activity, it launched an investigation, leading to the immediate termination of “the account’s access and removed the service provider from our systems altogether.”

Steve Cobb, CISO at SecurityScorecard, a supply chain detection and response firm, says the GrubHub data breach highlights the critical vulnerabilities inherent in third-party partnerships and "the domino effect a single compromised vendor can have on an entire ecosystem.”

“Attackers exploited an account from a service provider to infiltrate GrubHub’s systems, compromising the personal information of customers, merchants, and drivers, including partial payment information, “ he pointed out.

GrubHub breach exposes data
Grubhub.com. Image by Cybernews.

Cobbs explains that in an era where third-party breaches are increasingly common, "businesses that fail to evolve their security strategies risk significant operational, financial, and reputational damage."

"The GrubHub data breach serves as a call to action for organizations to strengthen their third-party risk management practices and adopt a proactive approach to third-party risk management," he said.

The compromised data

In its website response, GrubHub said that “the contact information of campus diners, as well as diners, merchants, and drivers” who interacted with its customer care service was compromised in the breach. However, it's not clear if the attackers were able to exfiltrate that data from the network systems.

ADVERTISEMENT

Campus diners constitute the students, faculty, staff, and visitors of any dining facility or restaurant located on a college or university campus located in the US. To put it in perspective, there are close to 6000 universities and campuses just in the US, according to a 2023 report by BestColleges.com.

The company said that the specific data accessed by the attackers was different for each individual in the GrubHub system, including:

  • Names, email addresses, and phone numbers
  • Partial payment card information for a subset of campus diners
  • Hashed passwords for certain legacy systems

GrubHub noted that the payment information was limited to the card type and the last four digits of the card number.

The company, which did provide a list of sensitive information that was not accessed in the breach, also said it “proactively rotated any passwords” possibly at risk. Non-compromised data was listed as:

  • Grubhub Marketplace customer account passwords
  • Merchant login information
  • Full payment card numbers
  • Bank account details
  • Social Security or driver’s license numbers

GrubHub is urging all victims (and potential victims) to change their login credentials using “unique passwords to minimize risk.”

Although not mentioned, customers can further protect their login information by turning on multi-factor authentication or biometric passkeys for their accounts.

Ernestas Naprys Niamh Ancell BW jurgita Paulius Grinkevicius
Get our latest stories today on Google News

Company resilience hinges on preparedness

ADVERTISEMENT

GrubHub said it has since taken “decisive steps” to enhance security measures in order to prevent similar attacks in the future, such as, bringing in outside forensic experts to conduct the investigation, strengthening credential security by changing all passwords, and deploying additional anomaly detection mechanisms across internal services.

The question remains, is that enough to keep a company secure?

Nick Tausek, Lead Security Automation Architect at AI security firm Swimlane, said that in an era where cyberattacks are inevitable, "resilience hinges on preparedness."

“Cybercriminals continue to exploit third-party providers, underscoring the need for robust cybersecurity strategies, he said, adding that while Grubhub said it has enhanced monitoring services following the incident, “organizations must move beyond reactive measures.”

“By leveraging AI-driven security operations, security teams can implement continuous monitoring, automated threat detection, and swift incident response, enabling them to detect anomalies before they escalate into full-blown breaches,” he said.

Founded in 2004, GrubHub only serves customers in the United States, but the company is part of Just Eat Takeaway.com, the international food delivery platform bought by the Wonder Group last year.