Dive Brief:
- DoorDash confirmed in a blog post Thursday that data was breached on May 4 that impacts 4.9 million customers, delivery workers and merchants.
- Spokesperson Mattie Magdovitz told TechCrunch that an unauthorized third-party gained access to this data and that DoorDash launched an investigation and brought in outside security experts to assess the situation.
- According to TechCrunch, users had their name, email and delivery addresses, order history, phone numbers and passwords stolen. The last-four digits of consumers' payment cards were also stolen, while about 100,000 delivery employees had their driver's license information stolen.
Dive Insight:
The restaurant space is particularly vulnerable to hackers because of restaurants dependence on third-party services, like delivery aggregates and reservation apps.
These partners create an additional entry point for hackers to access customer data.
Breaches are up significantly as retailers move toward digital commerce with the help of third-party vendors. Reported breaches rose 54% year-over-year in 2019 compared to midyear 2018, surpassing 2016 as the "worst year on record."
DoorDash likely has a long road to recovery. Data breaches aren't cheap, financially or reputationally.
It costs about an average of $148 per compromised record for a company recovering from a breach, or $3.92 million on average, according to IBM. That's not counting the costs stemming from potential lawsuits, which could arise since it took nearly five months to inform customers of the breach. Wendy's settled a data breach lawsuit for $50 million in February.
It's also hard to put a price tag on the reputational damage. According to a study by KPMG, 19% of customers said they would stop visiting a brand if a breach occurred, and 33% said they would take a break from the company for an extended period of time.