The food delivery service DoorDash recently admitted that hackers had stolen the personal information of 4.9 million customers, delivery workers, and merchants in a data breach.
The organization said the breach occurred on May 4, 2019. However, it did not explain why it took nearly five months from the time of the breach for the organization to detect and report it.
A spokesperson for DoorDash said that a third-party service provider caused the breach. She said that DoorDash launched an investigation and hired outside security experts to determine how the breach occurred.
According to the organization, customers who created accounts after April 5, 2018 were not affected by the data breach. However, hackers accessed the names, email and delivery addresses, order histories, phone numbers, last four digits of payment cards, and passwords of users who joined before that date.
In addition, hackers stole the last four digits of the bank account numbers of delivery workers and merchants. Around 100,000 delivery workers also had their driver's license information stolen.
A year ago, DoorDash customers alleged that hackers had breached their accounts, but DoorDash denied a data breach at that time. The organization stated that cybercriminals were using usernames and passwords stolen from other accounts to carry out credential stuffing attacks. However, a number of customers said that their DoorDash password was unique, meaning it could only have been stolen through a data breach at DoorDash. Zack Whittaker "DoorDash confirms data breach affected 4.9 million customers, workers and merchants" techcrunch.com (Sep. 26, 2019).
Third-party service providers increase the risk of a cyberattack, particularly if they do not have proper cybersecurity protections in place. To reduce the risk that your organization could be liable for a data breach resulting from the negligence of a third-party provider, always perform due diligence in selecting and monitoring them.
First, only select service providers that have protections equally as rigorous as your organization's own. Make certain they actually have and use the protections that they claim to use.
You should also monitor your service providers to make sure they are living up to the cybersecurity standards that they promised. If possible, use an external cybersecurity firm to audit their cyber protections for continued effectiveness. Routinely check their services to make sure that data can only be accessed in the way stated by the provider.
When new cybersecurity protections become available, work with your third-party service provider to confirm that they are implementing the latest cybersecurity technology and keeping all systems up-to-date. Share knowledge of new threats with your provider. If a service provider allows their protections to lag by failing to keep abreast of new threats and protections, consider changing providers.
Only share as much information as the third-party service provider needs to perform its function. Make sure your method for sharing information is secure and minimizes the risk that a hacker could steal the data in transit.
By guaranteeing that your third-party service providers have strong cybersecurity protections that they keep updated and only have access to the data they need, you reduce the odds of a data breach affecting your customers and hurting your reputation.