Back in 2016, dozens of disgruntled customers took to Twitter to complain that their Deliveroo accounts had been hacked, with fraudulent food orders, some worth hundreds of pounds, sent to various addresses.

Some criticised the company for failing to act quickly to block accounts, or refund the money after the incident has been reported.

On Friday, New Statesman journalist Sarah Manavis wrote about her experiences of her Deliveroo account being used to order “£100 worth of food”, suggesting that three years after the issue surfaced, Deliveroo is still susceptible to this type of attack.

Is the food delivery service putting customer data at risk?

Customers have been the victim of “credential stuffing”

A 2016 BBC Watchdog investigation looked into the issue, and discovered that hundreds of pounds worth of food customers had not ordered had been delivered through the website.

Deliveroo told the BBC that no financial information had been stolen from Deliveroo itself, but instead occur when another data breach has occurred and a customer uses the same email or password on a different website:

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone’s account. This is why we urge customers to use strong and unique.

“We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity.”

A Deliveroo spokesperson told Verdict that the most likely cause of the fraudulent activity was a technique called “credential stuffing”. This refers to a type of fraud where an attacker uses stolen account credentials such as usernames, email addresses or passwords, and attempts to gain access to other websites using the same credentials.

When customers use the same passwords on multiple websites, they put themselves at risk of such attacks. If their account on one website is affected by a data breach, attackers can then gain unauthorised access to their other accounts using the same password.

Unusually, in this case the attackers appear not to have used the credentials for financial gain but to order large quantities of food and alcohol.

The Deliveroo fraud incident highlights the importance of changing passwords

Three years since it was first brought to light, why are Deliveroo customers still at risk? Joseph Carson, Chief security scientist at Thycotic explains that if customers use the same passwords across multiple accounts, it is difficult for companies to offer protection:

“The reason such incidents tend to occur can have many root causes, but the most common is that the consumers’ device is infected with malware, stealing both credit card information and passwords used via the browser when making payments. The internet service’s own website is then infected and steals all payment details used on the service such as what had occurred in 2018 with British Airways.

“Or, the consumer used poor password practices such as reusing passwords on multiple accounts so cybercriminals are able to use previously disclosed passwords to access multiple internet services abusing them. In many of these incidents it is the credit card company who can really help in identifying the possible correlation between such fraud cases.”

He believes that the Deliveroo fraud incident highlights how vigilant users need to be with regards to password security:

“This is going to continue to be the hard reality that cybercriminals are going to abuse internet services that fail to follow due diligence on payments and fraud will continue to increase. The lessons on this recent fraud investigation related to Deliveroo is that people need to be more aware of the risks and these 3 basic tips will help reduce those risks.

“Any internet service that is using or storing your payment details should have a minimum of two factor authentication keeping it safe, use a password manager to create complex passwords so that every account is protected with a long complex unique password and always use a credit card versus a debit card so that you have better protection when fraud does occur which improves the possibility of getting your money back.”

Has the company broken GDPR?

But does this mean that Deliveroo is liable to fines under General Data Protection Regulation (GDPR)?

According to the Financial Times, the UK Information Commissioner’s Office is looking into the incident after Deliveroo contacted the watchdog about “limited fraudulent activity” on some customers’ accounts.

Under GDPR, companies have an obligation to follow correct data storage practices to ensure that customer data is not put at risk. As the breach did not occur through Deliveroo itself, but most likely through previous breaches, but until the exact nature of the breaches is uncovered, it is unclear at this stage whether Deliveroo is liable. A Deliveroo spokesperson has confirmed that the company had checked its servers and no such breach had taken place.

Carson said:

“A big question is with GDPR and how this applies to Deliveroo fraud incidents. This is very difficult at this stage as no details on the incident have been disclosed publicly yet nor if Deliveroo has been in contact with any Data Protection Authority reporting the incidents.”

One of the responsibilities a company has under GDPR is also to investigate any data breaches, and inform customers if they have been affected. Carson points out that although the breach occurred outside of the company, the fact that email addresses and delivery addresses were changed should have alerted the company to a possible breach:

“From the information made available, what appears to be in question is whether Deliveroo complied with keeping personal information accurate and up to date – as from the incident it appears that email addresses of the victims had been modified and Deliveroo should have verified identities prior to permitting further payments.  Until further details are disclosed, Deliveroo will be under serious pressure to investigate the issue fully and comply with EU GDPR breach notification requirements.”

Although it is unclear whether Deliveroo is at risk from hefty GDPR fines,  the Deliveroo fraud incident highlights that companies, and customers, must be vigilant, especially considering the frequency of large-scale breaches. Commenting on the news, Javvad Malik, security advocate at AlienVault believes that certain security practices are necessary:

“In today’s world, it is relatively easy for a company to go from concept to product in a short span of time. However, speed should not come at the expense of security, particularly where is comes to customers personal and financial data. The more data a company holds, the bigger the risk it carries, therefore, it should be careful in which data it stores and how – segregating systems where necessary and offloading certain aspects of security to trusted third parties, such as financial transactions as opposed to holding and processing all information in-house.”

A Deliveroo spokesperson told Verdict that the company was working to ensure customers are protected:

“Deliveroo takes security extremely seriously and is constantly working to combat fraud on behalf of our users. Sadly fraudsters rely on the fact that people reuse the same passwords on multiple online services and use data breaches elsewhere to try gain access to other accounts on the web. As soon as any customer makes us aware of fraudulent activity we immediately suspend their account to prevent further fraud. We regularly advise customers to strengthen their online security by using different passwords online.”

They also said that the company had measures in place to ensure GDPR compliance:

“We have a number of active security measures looking for fraudulent orders, which try to block fraudulent orders, and we’re constantly trying to improve the service, but you’re in a cat and mouse game where if somebody can get hold of a user’s password because they use the same password all over, you’re constantly working out how they got access and you’re trying to block that.

“We complied with our obligations for GDPR…we have security measures including encryption and password hashing to keep user information secure and in terms of reporting commitments, we comply.”

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up