DoorDash Data Breach: Food to You, Your Data to Someone Else

The DoorDash data breach is big news because it's a popular service.

At some restaurants, it can seem like there are as many DoorDash delivery drivers (Dashers) in the lobby as customers waiting for a table.

Now, millions of those Dashers and customers who use the DoorDash service are at greater risk because of a data breach.

What happened in the DoorDash data breach?

DoorDash wrote about the data breach on its blog this week. And it explained, in a couple of sentences, what happened:

"Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019."

This statement leaves us wondering about two different possibilities. 

1. Did a DoorDash vendor get breached and that exposed the data?
2. Or did a DoorDash vendor employee improperly access customer and driver data?

We don't really know which of these occurred.However, it clearly involves a vendor the company works with.

It is a lot of work to track and trust the cybersecurity of companies that you hire. And the companies they hire to help them. And so on.

This is why third-party vendor risk management is almost always on the agenda at our regional SecureWorld cybersecurity conferences.

How many people were impacted in the DoorDash data breach?

The company's investigation has determined the following scope:

"Approximately 4.9 million consumers, Dashers and merchants who joined our platform on or before April 5, 2018."

So the good news is customers and Dashers who joined the company April 6, 2018, or later are not part of the data breach.

What information was exposed in the DoorDash data breach?

According to the company blog post:

• Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords—a form of rendering the actual password indecipherable to third parties.
• For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.
• For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed. The information accessed is not sufficient to make fraudulent withdrawals from your bank account.
• For approximately 100,000 Dashers, their driver's license numbers were also accessed.

What is DoorDash doing to prevent another data breach?

Like most organizations who have been breached, DoorDash says it is upping its security program on several fronts:

"We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats."

Hopefully, this will be enough to ensure that your food arrives just like it should while your data stays protected, just like it should.

[READ: DoorDash data breach statement and blog post]