DoorDash data exposed in third-party vendor hack

Personal information maintained by DoorDash has been affected by a recent phishing attack on one of the online delivery platform’s third-party vendors.

In a corporate blog post, DoorDash said it recently detected “unusual and suspicious activity” coming from a third-party vendor’s computer network. In response, the company disabled the vendor’s access to its system and launched an investigation which determined an unauthorized party used credentials stolen from vendor employees to gain access to the DoorDash network.

While DoorDash acknowledged personal data of a “small percentage” of its customers and delivery drivers was compromised, the company said it does not currently believe that data includes passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers.

For affected consumers, DoorDash said breached data primarily consists of name, email address, delivery address and phone number. The hackers were also able to access basic order information and partial payment card information (card type and last card number four digits) of some customers.

For affected drivers, DoorDash said exposed information primarily included name and phone number or email address, although the company said information affected for each individual impacted by this incident may vary.

“The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies,” DoorDash said in the blog post. “We understand that law enforcement is aware of this campaign and is actively investigating. We have contacted them to offer our support.”

In response to this third-party breach, DoorDash said it is taking steps including enhancing its existing security systems, sharing security alerts with other third-party vendors detailing the specific tactics used, notifying affected individuals, bringing an outside cybersecurity firm in to assist its ongoing investigation, and “proactively” assisting law enforcement.

“The DoorDash breach that gave hackers access to customers’ data highlight how crucial strong access management and infrastructure are to maintain strong security,” Tim Prendergrast, CEO of infrastructure access management solutions provider strongDM, said in commentary provided to Chain Store Age. “Attackers are relentlessly looking for ways into internal systems because it grants them a VIP pass into databases, and servers and access to everything companies don’t want leaked publicly. Once attackers get those valid credentials, they can wreak havoc internally.”

Kroll: Fraud poses serious risk to businesses
According to the recent Global Fraud and Risk Report from security company Kroll, 82% of over 1,300 surveyed senior decision-makers for risk strategy said their organizations had been significantly impacted by fraud and illicit activity. Seventy-eight percent of respondents’ organizations had conducted investigations into fraud, corruption or related misconduct in the past three years.

Looking specifically at retail, wholesale and distribution respondents, the survey found that 81% had been significantly impacted by serious misconduct and 69% had conducted an internal investigation in the last three years. In addition, four in five (79%) respondents overall said the cost of these investigations had increased, particularly for organizations with revenue of more than $15 billion.

In response to the high reported rates of serious misconduct, more than three-quarters (78%) of surveyed organizations stated they had conducted internal investigations over the past three years.