The online food ordering and delivery service EatStreet informed its customers and partners that it suffered a data breach exposing a variety of personal data including payment card information.
According to the California State Attorney General’s office, EatStreet sent letters to its diners, delivery and restaurant partners. In each letter the company noted that it became aware on May 17, 2019 that an unauthorized third party had gained entry to the firm’s network on May 3. While the company was at that point able to shut down access, it was too late to stop information from being compromised.
For the diner/consumers the company said the malicious actors may have accessed the payment card information for a limited number of diners and for that specific group this would have included included name, credit card ending in numbers , expiration date, card verification code, billing address, email address and phone number.
Restaurant and delivery partners may have had their company name, clients name, company address, phone number, email address, bank account and routing number compromised. However, EatStreet does believe the exposed data has been used as a result of this incident.
EatStreet said since the incident it has taken steps to further lock down its accounts.
“We audited our systems to validate that there was no other unauthorized access. In addition, we have enhanced the security of our systems, including reinforcing multi-factor authentication, rotating credential keys and reviewing and updating coding practices. EatStreet continues to work with outside experts to identify other measures it can take to improve its security controls,” the company wrote.
The company did not indicate how many customers and partner firms were impacted by the breach, but the company operates in dozens of cities in 38 states and the District of Columbia. Colin Little, senior threat analyst, Centripetal Networks, did raise the question if these type of incidents will start to impact customers decisions on where they do business.
“With the number of mobile or cloud-based consumer services a person leverages day-to-day, and the two-week time-to-detect for complete access to a database that contains some of the most sensitive PII, this event shows that consumers deserve organizations who will proactively hunt for threats to minimize the risk to consumer data,” he said.