Online food ordering service EatStreet has revealed a major data breach affecting customers and restaurant partners.
Although the number of companies and individuals affected isn’t known, the firm claims to partner with over 15,000 restaurants in hundreds of US cities, so the figure could theoretically surge into the millions.
The two-week incident happened in May, when an “unauthorized third party was able to acquire information in our database,” according to letters sent to EatStreet’s customers, delivery partners and restaurants.
For the latter two, the information stolen may have included names, phone numbers and email addresses, plus bank account information.
However, for customers of the service, things look even worse, with the hacker potentially making off with credit card number, expiry date, CV2 number, billing and email address, name and phone number. That’s more than enough information to commit a serious range of identity fraud and to launch follow-on phishing attacks.
EatStreet claimed to have responded quickly to the incident, and said it has “reinforced” multi-factor authentication, rotated credential keys and reviewed and updated its coding practices to improve security going forward.
Interestingly, the firm’s website was also down at the time of writing.
“The case of the Eatstreet breach is a doomsday scenario for the average consumer where a service was used for convenience or necessity, and ended up causing a major threat to the consumer's interests,” argued Colin Little, senior threat analyst at Centripetal Networks.
“With the number of mobile or cloud-based consumer services a person leverages day-to-day, and the two-week time-to-detect for complete access to a database that contains some of the most sensitive PII, this event shows that consumers deserve organizations who will proactively hunt for threats to minimize the risk to consumer data.”