GrubHub reveals massive data breach - customers, drivers, businesses all affected, here's what we know

(Image credit: Shutterstock / Diego Thomazini)

Food delivery service GrubHub has been breached through a third-party vendor
The incident left Personally Identifiable Information exposed on users and others
GrubHub has launched a full investigation

GrubHub has confirmed suffering a ‘security incident’ involving a third-party contractor which resulted in the unauthorized access to a set of user contact information.

The breach was detected after the firm noticed unusual activity within its environment, which it traced back to a third-party vendor that provides services for its Support Team. Once discovered, GrubHub reportedly launched an investigation and found unauthorized access to an account associated with the vendor.

The company says it took ‘immediate action’ to contain the situation and is now confident the incident is ‘fully contained’. The leaked data includes names, email addresses, phone numbers, and partial payment information for a group of users. It’s also believed the threat actor had access to hashed passwords for legacy systems.

Know your vendor

Following the incident, GrubHub said it enhanced its security by implementing enhanced monitoring services, as well as strengthening credential security and engaging forensic experts to complete a comprehensive investigation.

This incident proves just how crucial monitoring your systems and your vendors is for businesses of all sizes. Third-party data breaches have become a major security concern thanks to the vast number of vendors most firms will use, many of which are smaller companies with smaller cybersecurity budgets.

“If you want to get into a big organization you go through [third-party vendors]. You go for the low hanging fruit. We've got 14,000 vendors globally providing everything from uniforms in retail branches to large scale data centers,” Standard Chartered Bank’s Benedict Peet told TechRadar Pro.

“You've got to have a scalable security questionnaire to ask them, but the risk is still the same, whether it's a mum and pop shop in the back streets of Seoul or it's at Atos Origin or someone like that.”

Data breaches put victims at risk of identity theft, so take a look at our choices for best identity theft protection if you're concerned you might be affected.

Take a look at our pick of the best antivirus software around
Check out our recommendations for best malware removal
Over a million patients potentially hit after another US healthcare provider hit by cyberattack

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.