Delivery Hero, a popular food delivery service, has confirmed a data breach at the Foodora brand it bought in September 2015. The breach exposed more than 727,000 customer details from 14 countries including Singapore, Germany, Spain, France, Finland, Italy, Austria, Hong Kong, the Netherlands, Canada, Sweden, Norway, Australia and the United Arab Emirates.
“Unfortunately, we can confirm that a data breach has been identified concerning personal data dating back to 2016,” Delivery Hero said in a statement. “The data originates from some countries across our current and previous markets.”
Discovered on a prevalent underground forum on May 19, the compromised data includes information of Foodora customers such as usernames, phone numbers, addresses, full names, locations, and hashed passwords. No payment information or credit details were included in the data dump consisting of a series of SQL files labeled “CustomerAddress” and “Customers.”
“We started a thorough internal investigation and have informed all relevant authorities,” the company said. “We are working closely with our security and data protection teams, as well as local authorities, to identify what caused the breach and inform the affected parties.”
According to data breach expert Troy Hunt, who analyzed the data, over 600,000 unique email addresses were listed, with the oldest Australian-based file dating to 2015.
No additional details were provided, and it’s not clear when the food-delivery service will start informing affected customers. Customers from nine European countries were affected and, under the European Union’s data protection law, data regulators may impose fines of up to 4% of an organization’s annual global revenue. In 2019, Berlin’s Data Protection Authority issued a 195,407 Euro fine to Delivery Hero for violations of the GDPR law.
Food delivery services are in high demand and, considering the current threat landscape, similar breaches are to be expected. The variety of exposed customer data should serve as a reminder of the risks that follow a data breach of large proportions. Affected customer should be wary of the dangers and monitor their Inboxes for suspicious emails.