DoorDash has confirmed a data breach impacting 4.9 million users including customers, delivery workers (Dashers) and merchants. The food delivery company said that the breach happened on May 4 and that customers who joined after April 5, 2019 are not affected. It’s still unclear why it took several months for DoorDash to publicly address the incident.
- Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen.
- Consumers had the last four digits of their payment cards taken, though full numbers and card verification values (CVV) were not taken.
- Both delivery workers and merchants had the last four digits of their bank account numbers stolen.
- Around 100,000 delivery workers had their driver’s license information stolen.
DoorDash spokesperson blamed the breach on \”a third-party service provider\”, without disclosing the name of the provider. But before blaming the third-party service provider, DoorDash should security assess its internal process of sharing data with third-party service providers. In today\’s connected world, the security of the business partner is equally important as the company\’s own security. Given the scale of business partners, how much risk do companies experience? One typical risk is the exposure to the volume of data shared with business partners. \”Need-to-know\” and \”Need-to-do\” security principles must be applied when sharing data with business partners and should have legal terms protecting data privacy, confidentiality and integrity.
The second issue is the detection of a data breach. It tooks five months for DoorDash to detect the breach but the reason for the delay is not clear. It is important for the company to find out what went wrong and should devise its security controls accordingly.
Given the changing landscape of the threats and business processes, companies should keep on devising security strategies to respond to new forms of attacks quickly and to minimize risk to the business.
Seven months ago, DoorDash announced $400 million in Series F funding and the company says the funding came at a $7.1 billion valuation. The company’s growth can be attributed to its reach of 3,300 cities across the U.S. and Canada, its selection of partners and DoorDash Drive which allows businesses to make their own deliveries within the DoorDash network. However, in a saturated food delivery app market, DoorDash must recognize that cybersecurity and customer privacy are becoming essential facets to a successful business. After suffering two different security incidents within around a year’s span, DoorDash users may look to competing services such as Uber Eats, Grub Hub or Postmates to meet their demand. In fact, 87% of customers will take their business elsewhere if they do not trust a company is handling their data responsibly.
With DoorDash’s massive reach and customer base, it is imperative that they shoulder the responsibility of continuously monitoring all assets across hundreds of attack vectors to detect vulnerabilities. This involves analyzing millions, if not billions, of time-varying data signals continuously, and in real time. Analyzing all this is no longer a human scale problem anymore so organizations need to leverage security tools that employ AI, ML and deep learning technology to continuously observe and analyze the entire network in real time and derive insights in order to prioritize the vulnerabilities that need to be addressed in a prioritized manner.
The DoorDash data breach demonstrates how careful companies need to be when selecting partners and understanding the access rights and security posture they have. While DoorDash, for example, could have done all of the security due diligence for itself as a company, if its partners weren’t secure, then neither was DoorDash. Companies need to be more vigilant in understanding how secure their partners are and what data they share with them. Data should be treated according to sensitivity, if there is no need to share, then it should be kept within their own network. What’s more, technology needs to be in place to identify where data theft might be occurring. With detailed network visibility, for example, companies can see what data is leaving their network and understand if it is legitimate. Where it is not, they then have the actionable intelligence to close it down and eliminate the risk. With such sensitive data at risk – including driving license numbers, personally identifiable information, financial details and hashed passwords – ensuring that your partners and supply chain share the same cybersecurity ethos as you is critical.
Data in the wrong hands – especially personally identifiable information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for a myriad of criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach.
We must change the current equation of \”breach = fraud\” by changing how companies think about online identity verification; the key is to make it valueless. Once the customer’s data is out, it doesn’t have to generate losses for that client or the company where the data is used. Companies can use technologies that detect when this data is being used. Most of the times, the data is used on automated attacks that can be detected with good bot-detection and behavior evaluation tools. Additionally, technologies that look at inherent user patterns like passive biometrics add to security by flagging when the right information is presented for a user, but that user is behaving unusually. The balance of power will return to customer protection when more companies implement such techniques and technology.
With this being the 2nd major breach reported by Door Dash in a relatively short time-frame, its clear that lessons haven\’t been learned. In any data breach scenario, the most critical element is communication. When customer personally identifiable information (PII) is believed to have been breached, or at risk as a result of a suspected breach, consumer and industry confidence can only be salvaged through transparency. The challenge with delaying breach (or potential breach) communication is in the increased risk of further compromise to those affected; cyber criminals will undoubtedly capitalise on any gathered PII to facilitate more targeted campaigns, such as phishing or further identity based theft attacks.
The challenge for any organisation that suffers a breach, is always in their ability to investigate and understand the extent of the breach (what, when, whom & where else) in a timely manner; we\’ve seen in countless reports this past several years that the time-to-report is averaging several months or more.
Understanding the nature of a breach doesn\’t have to be complicated in today\’s technological climate, especially if organisations are following standard practices in data monitoring, analysis and incident response frameworks. Lessons need to be learned here, not least the importance of truly understanding the nature of what you\’re protecting as a business and whom your protecting it from (insiders, 3rd parties, external customers, etc..).