
Food delivery giant GrubHub has reported a significant data breach affecting its customers, merchants, and delivery partners. The security incident occurred when unauthorized actors gained access through a third-party service provider’s account, prompting immediate security measures.
The breach exposed various personal information, including:
– Names
– Email addresses
– Phone numbers
– Partial payment card details (type and last four digits) for some campus diners
GrubHub’s immediate response included:
– Terminating the compromised service provider account
– Engaging external forensic experts
– Implementing password rotation
– Adding enhanced anomaly detection systems
The company confirmed that critical data remained secure, including:
– Grubhub Marketplace customer passwords
– Merchant login credentials
– Complete payment card numbers
– Bank account information
– Social Security numbers
– Driver’s license numbers
While some legacy system passwords were accessed in hashed form, GrubHub proactively reset potentially compromised credentials. The company, which serves over 375,000 merchants and 200,000 delivery partners across 4,000 U.S. cities, recommends users maintain unique passwords for additional security.
This incident follows GrubHub’s recent $25 million settlement with the FTC over separate charges regarding deceptive business practices.