Food delivery-service data-leaks

Food delivery services’ databases may not contain payment information, but leaks can still cause major problems.

Delivery services’ database leaks

Data can leak from companies of every stripe. Some hold more of it, others less. Not every leaked database, it might seem, contains critical information. But can any leak ever be considered absolutely safe? Let’s consider the example of food delivery services.

What data gets leaked?

Let’s state straight away that delivery services are unlikely to leak bank card details — for the simple reason that they don’t handle them. Some of them use a payment gateway that’s controlled by the acquiring bank: the card number is entered on the bank’s website and the merchant doesn’t even see, let alone store it. Even if the card is linked, this happens on the side of the bank, and the merchant only receives a binding ID.

Nevertheless, leaks from food delivery services are generally more dangerous than from marketplaces. An order placed on a marketplace can be picked up at a collection point or post office, while a food order is always delivered to the customer at, say, their home or office. We’re talking about very personal data here that can link a person to a phone number and physical address, as well as give some insight into their wealth and behavior patterns.

How such leaks threaten customers

Clearly, there are no positives to be had from such bundles of personal information being available in the public domain, and here are the possible negatives:

  • Potential attackers have information about where the victim lives, how much they spend on food delivery, when they order it, and which days they tend to skip it; that’s a perfect recipe for a burglary;
  • Unexpected domestic problems may arise. For instance, last summer there was a story on social media about a girl who got hold of such a database and learned that her boyfriend regularly ordered pizza to the home address of a female friend of hers. It didn’t end well, whichever way you slice it;
  • Such leaks represent ready-made market-research databases for painting consumer portraits and sending targeted spam to known postal addresses;
  • Such databases contain not only home addresses, but business ones too. And this allows an attacker to use social engineering to penetrate a company’s internal network through a delivery-service customer — for example, by calling and informing them that they’ve won and been sent a customer loyalty prize that turns out to be a flash drive with malware. Since the victim is a genuine customer of the delivery service, they’ll have little reason to smell a rat — especially if it’s a courier in uniform who delivers the flash drive.

How such leaks threaten business

For a business, such leaks are a force majeure that carries numerous risks:

  • Reputational. Leaks cannot be hushed up because databases inevitably pop up on the dark web; so, as a rule, companies themselves try to report them first. But such openness doesn’t help much — security incidents always shake both customers and partners’ trust;
  • Regulatory. Regulators are always ready to fine businesses for violations of personal data protection laws. The size of the fine depends on the jurisdiction, and not only the region where the company is registered can play a role, but also the whereabouts of its customers. For example, any company offering goods or services to customers in almost any European country falls under the GDPR;
  • Material. Customers are increasingly teaming up to file class-action lawsuits when their data is leaked, and courts are starting to side with them. Again, the sums involved are small, yet they’re growing due to the increasing number of folks ready to sue.

What to do?

Unfortunately, customers not prepared to completely abandon delivery services have few options. Leaks should be seen as an inevitable risk that, like any other, must be assessed and its consequences mitigated. For example, order deliveries to pickup points — not your home address; and pay attention to checkboxes on the order form — you might be able to stop your home address and phone number from being stored.

Businesses have more options. These are well known but, sadly, still not always fully employed:

  • Limit employee access to internal databases containing personal data;
  • Carry out periodic audits of security systems;
  • Do not store unnecessary personal data. This means allowing customers to choose what they are willing to entrust to your business, and what must be removed immediately upon completion of an order;
  • Carefully monitor what is happening in your infrastructure using MDR class services.