Grubhub says hack on third-party exposed information on campus customers

The delivery service Grubhub said a hacker stole personal data and partial payment card information from customers through a third-party contractor.

In a statement published on Monday evening, the company said it recently identified a security incident that “originated with an account belonging to a third-party service provider that provided support services to Grubhub.”

The information stolen includes names, email addresses, phone numbers, card types and the last four digits of card numbers. The hackers also stole hashed passwords for some legacy systems used by Grubhub. 

The company did not respond to requests for comment about how many people were affected, when the incident happened and who was behind the attack. 

“We recently detected unusual activity within our environment traced to a third-party service provider for our Support Team. Upon discovery, we promptly launched an investigation, identifying unauthorized access to an account associated with this provider. We immediately terminated the account’s access and removed the service provider from our systems altogether,” the company said.

“The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service.”

It is unclear what campus Grubhub is referring to. The company runs a service specifically for college students on campuses around the U.S. 

The company said it “took immediate action” to contain the attack and worked with experts to investigate the incident. Grubhub added that it is “confident that the incident has been fully contained.” They have rotated any passwords that may have been leaked, according to the statement. 

The company claimed it has taken several other steps to secure its systems but did not elaborate on what measures have been instituted. 

Grubhub is one of the world’s most popular food delivery apps, with more than 375,000 merchants serving over 4,000 U.S. cities. In November, Grubhub was sold by its Dutch owner to a company named Wonder for $650 million. 

The company recently paid a $25 million penalty to settle charges from the Federal Trade Commission that it hid the cost of delivery from some customers, deceived workers about how much they would make from deliveries and listed restaurants without their permission as a pressure tactic.  

The settlement was originally for $140 million but it was partially suspended because Grubhub could not pay the full amount. 

Several other food delivery platforms have dealt with cyberattacks involving customer information, including Asian and Hispanic grocery service Weee!, PurFoods and others.