US-based grocery delivery and pick-up service Instacart has disclosed a security incident that involved unauthorized access of customer information by two support agents from a third-party vendor retained by the company.
Instacart says it discovered the breach during a review of support protocols and immediately opened an investigation alongside a forensic analysis team.
“As part of our ongoing review of support protocols, we’ve determined that two employees retained by a third-party support vendor we work with may have reviewed more shopper profiles than was necessary in their roles as support agents,” Instacart said.
The final report of the investigation confirmed that the two employees viewed “a limited set of shopper information that may have included name, email address, telephone number, driver’s license number, and a thumbnail image of the driver’s license.
However, Instacart assures users that no customer data was stored, downloaded or copied during this unauthorized access, emphasizing that “no customer information or profiles were accessed or impacted in any way by this incident.”
It appears that only 2,180 shoppers were affected by the breach. The company also said that it notified potentially affected customers, and as a precaution, offered them two years of free credit monitoring and protection.
“While our investigation offered no indication that any shopper had their data stored, downloaded or digitally copied in any way, as an additional preventative measure, we’re offering two years of free credit monitoring and protection to all 2,180 shoppers whose information may have been viewed by these two individuals,” the company added.
Additional security measures have already been reinforced by the company, which introduced new authentication methods for platform users, including shopper ID verification, secure login, automatic logouts and banned device switching.
On top of these protective measures, Instacart says it is working on releasing a new customer support service for customers who believe their personal information has been compromised or who have any security-related questions.
This is not the first security incident reported by Instacart this year. Last month, the company disclosed a credential stuffing attack after 278,531 user accounts were put up for sale on a dark web forum.