Almost 5 million customers, delivery drivers and partners hit by DoorDash data breach – expert comments

Food delivery company, DoorDash, has confirmed it was hit by a data breach which exposed the data of close to 5 million customers, delivery people and partners. The breach took place in May of this year, and it’s unclear why it has taken DoorDash so long to reveal the details.

According to a spokesperson for DoorDash, the breach took place via a third party provider – who was not named – and affected users who had joined the platform prior to April 5th, 2018. Stolen data included names, email and delivery addresses, telephone numbers and, most worryingly, hashed and salted passwords. Customers who joined after this date were not affected.

The Guru reached out to several cybersecurity experts to get their reaction to the news.

Rosemary O’Neill, director – customer delivery, at NuData Security – part of Mastercard:

“Data in the wrong hands – especially personally identifiable information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for a myriad of criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach.

We must change the current equation of “breach = fraud” by changing how companies think about online identity verification; the key is to make it valueless.

Once the customer’s data is out, it doesn’t have to generate losses for that client or the company where the data is used. Companies can use technologies that detect when this data is being used. Most of the times, the data is used on automated attacks that can be detected with good bot-detection and behavior evaluation tools. Additionally, technologies that look at inherent user patterns like passive biometrics add to security by flagging when the right information is presented for a user, but that user is behaving unusually.

The balance of power will return to customer protection when more companies implement such techniques and technology.”

Rob Gurzeev, CEO and Co-Founder at CyCognito :

Unfortunately, this kind IT ecosystem risk isn’t unique to DoorDash. In fact, IT and security teams often don’t even know if and where all of their organisation’s digital infrastructure and assets are, or whether they’re fully protected. This ‘awareness gap’ is called shadow risk, and it’s a major problem. Organisations need to expose those shadow risk by mapping and assessing their full attack surface.

Paul Bischoff, privacy advocate at Comparitech.com:

“The third-party provider did it” is becoming a common chorus among many companies whose data was breached or exposed. If you think you’re only giving up information exclusively to one party when you sign up for any sort of account these days, you’re very likely mistaken. Data sharing is common place, because not every company is equipped to secure, analyse, or exploit it. A food delivery service, for example, might not excel at digital advertising. So it contracts that part of its business out to a third party. But those external providers aren’t even on most consumers’ radars, and they might not set as high of standards when it comes to securing data.

Erich Kron, security awareness advocate at KnowBe4:

“This particular breach disclosed a significant amount of information, even though the passwords were hashed and salted. By using information from this breach, attackers could create a very convincing phishing email using your name, email address and phone number, along with the last four digits of the credit card and trick a person into believing it was legitimate. This is even worse for delivery drivers who have had their drivers’ license number also compromised. Any time there is a lot of correlated data in a breach, the bad guys can use that against people. The fact that this data has been available for so long before people were notified is unfortunate, especially when customers had reported suspicious activity so long ago. If you have ever wondered how scammers get the information they use to call people claiming that their Social Security Number is suspended, or that the IRS is going to arrest them, this is one way that it happens.”

Warren Poschman, senior solutions architect at comforte AG:

“With a nearly five-month delayed breach response, DoorDash has given its customers more to worry about than getting cold tikka masala.  Although payment information was seemingly not stolen, the theft of critical personal data including names, addresses and in some cases driving license data makes this yet another example of how securing data using a data-centric security approach, where the actual data is protected instead of the systems, is necessary.  Unfortunately, DoorDash has responded by delivering some security leftovers by only “…adding additional protective security layers around the data, improving security protocols that govern access to our systems”.  Today’s attack vectors require more than disk encryption, firewalls, and access management – it requires protecting the actual data that the attacker is after, not just the system around the data.”