Grubhub, a food delivery company, has reported a data breach that compromised the personal information of some of its customers, drivers, and merchants. The company discovered the breach when it detected unusual activity within its systems. An investigation revealed that an account belonging to a third-party provider of support services had been compromised.
The unauthorized access was quickly terminated, and the account and the third-party vendor were removed from Grubhub’s systems. The compromised data includes the names, email addresses, and phone numbers of diners, merchants, and drivers who have interacted with Grubhub’s customer care service. Partial payment card information, including the last four digits of the card number and the card type, was also accessed for some campus diners.
Hashed passwords for some legacy systems were also affected, and those passwords have been reset. Grubhub stated that the breach did not compromise marketplace customer passwords, merchant login information, Social Security numbers, bank account information, and full credit card numbers.
Grubhub investigates security breach
The company has strengthened its security measures, including deploying additional anomaly detection systems for its internal services. The number of individuals affected by the incident and whether a ransomware group conducted the attack has not been disclosed. No ransomware gang has claimed responsibility for the attack at this time.
Grubhub is monitoring the situation closely and is committed to ensuring the security and privacy of its users. The company is working with leading forensic experts to investigate the matter and has taken steps to secure its systems further. This incident comes when cybersecurity is a growing concern, with sophisticated cyberattacks and data breaches becoming more common.
According to industry reports, the average cost of a data breach has risen significantly in recent years. Grubhub is currently being sold to food hall startup Wonder for $650 million, with the deal expected to close in the first quarter of 2025. The company has not commented on whether this breach will have any impact on sales.
