Food delivery service provider DoorDash Inc. has suffered a data breach and the records of some 4.9 million customers, delivery providers and merchants have been stolen.

DoorDash said the breach, which was detected May 4, involved unauthorized activity on a third-party service provider.

The data only related to customers, delivery providers and merchants who had joined DoorDash before April 5, 2018 with those joining after that data not affected. The data stolen included names, email address, order history, phone numbers and encrypted passwords.

In some cases, the stolen data involved the last four digits of credit cards and for 100,000 delivery providers, the driver’s license numbers as well. The company emphasized that full credit details and CVV numbers were not stolen, so the data cannot be used to make fraudulent charges to payment cards.

DoorDash said in a statement that it has taken several additional steps to secure data, including “adding additional protective security layers around the data, improving security protocols that govern access to our systems and bringing in outside expertise to increase our ability to identify and repel threats.” Customers are also being encouraged to change their passwords as a precaution.

Missing in DoorDash’s disclosure are whom the third party was and how the data breach took place. Was it yet another failure to secure an online database or was it a proper hack?

“‘The third-party provider did it’ is becoming a common chorus among many companies whose data was breached or exposed,” Paul Bischoff, privacy advocate at research firm Comparitech Ltd. told SiliconANGLE. “If you think you’re only giving up information exclusively to one party when you sign up for any sort of account these days, you’re very likely mistaken.”

The length of time it took DoorDash to disclose the data breach is also being questioned.

“While it’s still unknown why DoorDash took almost five months to publicly announce their breach that happened in early May, the food delivery app company could be subjected to significant fines for not addressing the major security incident more promptly as required by law,” said Ben Goodman, senior vice president of global business and corporate development at access management platform provider ForgeRock Inc.

Although DoorDash seemingly tried to play down the severity of the attack, the stolen data now makes them “vulnerable to the sinister designs of hackers both now and in the future,” said Anurag Kahol, chief technology officer of CASB cloud security firm Bitglass Inc. Malicious parties can use card information and personally identifiable information to make fraudulent purchases, sell it on the dark web for a quick profit and much more, he noted.

“As just one step in trying to control the damage, impacted users should change their passwords on all of the accounts where they used these now exposed credentials,” Kahol advised. “Unfortunately, changing phone numbers and home or work addresses is not quite as easy. This event demonstrates why it is crucial for companies to do a better job at protecting data – particularly when so much of their business is conducted via the cloud and through digital services.”

Chris DeRamus, chief technology officer at continuous cloud security firm DivvyCloud Corp., noted that with 2019 already on track to become the worst year for data breaches yet, companies must do more.

“Companies such as DoorDash, whose entire platform between delivery worker, customer and restaurant is driven through a digital application, need to invest in improving their cloud infrastructure to safeguard not only customer data but the future success of the company,” DeRamus said. “Only 100% consistency in implementing best practices, policies and tools can ensure protection against a breach. Automated security solutions are the only way to ensure proper security is enforced at all times.”

Photo: DoorDash