Grubhub, a major U.S. food delivery service, has revealed that hackers gained access to the personal details of its customers and drivers after infiltrating its internal systems.
What Happened?
The company, which operates in over 4,000 U.S. cities and works with 375,000 restaurants and 200,000 delivery providers, discovered the breach after detecting unusual activity within its network. The attack was traced back to a third-party service provider that had unauthorized access to Grubhub’s systems.
“Upon identifying the breach, we quickly launched an investigation and took immediate action to revoke the provider’s access,” Grubhub stated. The company confirmed that it terminated the account in question and completely removed the provider from its systems to prevent further security risks.
Who Was Affected?
The breach impacted customers, restaurant partners, and delivery drivers—particularly those who interacted with Grubhub’s customer support services. Additionally, students using the company’s Campus Dining service, which allows them to pay for meals with university meal credits, were also affected.
According to Grubhub, the compromised information includes:
- Names
- Email addresses
- Phone numbers
- Partial payment card details (only the last four digits)
The company also noted that hashed passwords for certain older systems were accessed. However, Grubhub assured users that bank account details and Social Security numbers were not impacted.
How Many People Were Affected?
Grubhub has not yet disclosed the exact number of individuals affected by the breach. The company also did not confirm when the security incident first occurred or how long the unauthorized access lasted.
What’s Next?
While Grubhub has taken steps to remove the compromised provider from its systems, the breach raises concerns about third-party security risks in the food delivery industry. Customers and drivers are advised to reset their passwords, monitor their accounts for suspicious activity, and remain cautious of phishing attempts that may result from exposed information.
With cybersecurity threats becoming increasingly sophisticated, this incident serves as yet another reminder of the vulnerabilities companies face when relying on third-party providers for essential services.
