Back in 2016, dozens of disgruntled customers took to Twitter to complain that their Deliveroo accounts had been hacked, with fraudulent food orders, some worth hundreds of pounds, sent to various addresses.

Some criticised the company for failing to act quickly to block accounts, or refund the money after the incident has been reported.

On Friday, New Statesman journalist Sarah Manavis wrote about her experiences of her Deliveroo account being used to order “£100 worth of food”, suggesting that three years after the issue surfaced, Deliveroo is still susceptible to this type of attack.

Is the food delivery service putting customer data at risk?

Customers have been the victim of “credential stuffing”

A 2016 BBC Watchdog investigation looked into the issue, and discovered that hundreds of pounds worth of food customers had not ordered had been delivered through the website.

Deliveroo told the BBC that no financial information had been stolen from Deliveroo itself, but instead occur when another data breach has occurred and a customer uses the same email or password on a different website:

“These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone’s account. This is why we urge customers to use strong and unique.

“We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity.”

A Deliveroo spokesperson told Verdict that the most likely cause of the fraudulent activity was a technique called “credential stuffing”. This refers to a type of fraud where an attacker uses stolen account credentials such as usernames, email addresses or passwords, and attempts to gain access to other websites using the same credentials.

When customers use the same passwords on multiple websites, they put themselves at risk of such attacks. If their account on one website is affected by a data breach, attackers can then gain unauthorised access to their other accounts using the same password.

Unusually, in this case the attackers appear not to have used the credentials for financial gain but to order large quantities of food and alcohol.

The Deliveroo fraud incident highlights the importance of changing passwords

Three years since it was first brought to light, why are Deliveroo customers still at risk? Joseph Carson, Chief security scientist at Thycotic explains that if customers use the same passwords across multiple accounts, it is difficult for companies to offer protection:

3 Things That Will Change the World Today

“The reason such incidents tend to occur can have many root causes, but the most common is that the consumers’ device is infected with malware, stealing both credit card information and passwords used via the browser when making payments. The internet service’s own website is then infected and steals all payment details used on the service such as what had occurred in 2018 with British Airways.

“Or, the consumer used poor password practices such as reusing passwords on multiple accounts so cybercriminals are able to use previously disclosed passwords to access multiple internet services abusing them. In many of these incidents it is the credit card company who can really help in identifying the possible correlation between such fraud cases.”

He believes that the Deliveroo fraud incident highlights how vigilant users need to be with regards to password security:

“This is going to continue to be the hard reality that cybercriminals are going to abuse internet services that fail to follow due diligence on payments and fraud will continue to increase. The lessons on this recent fraud investigation related to Deliveroo is that people need to be more aware of the risks and these 3 basic tips will help reduce those risks.

“Any internet service that is using or storing your payment details should have a minimum of two factor authentication keeping it safe, use a password manager to create complex passwords so that every account is protected with a long complex unique password and always use a credit card versus a debit card so that you have better protection when fraud does occur which improves the possibility of getting your money back.”

Has the company broken GDPR?

But does this mean that Deliveroo is liable to fines under General Data Protection Regulation (GDPR)?

According to the Financial Times, the UK Information Commissioner’s Office is looking into the incident after Deliveroo contacted the watchdog about “limited fraudulent activity” on some customers’ accounts.

Under GDPR, companies have an obligation to follow correct data storage practices to ensure that customer data is not put at risk. As the breach did not occur through Deliveroo itself, but most likely through previous breaches, but until the exact nature of the breaches is uncovered, it is unclear at this stage whether Deliveroo is liable. A Deliveroo spokesperson has confirmed that the company had checked its servers and no such breach had taken place.

Carson said:

“A big question is with GDPR and how this applies to Deliveroo fraud incidents. This is very difficult at this stage as no details on the incident have been disclosed publicly yet nor if Deliveroo has been in contact with any Data Protection Authority reporting the incidents.”

One of the responsibilities a company has under GDPR is also to investigate any data breaches, and inform customers if they have been affected. Carson points out that although the breach occurred outside of the company, the fact that email addresses and delivery addresses were changed should have alerted the company to a possible breach:

“From the information made available, what appears to be in question is whether Deliveroo complied with keeping personal information accurate and up to date – as from the incident it appears that email addresses of the victims had been modified and Deliveroo should have verified identities prior to permitting further payments.  Until further details are disclosed, Deliveroo will be under serious pressure to investigate the issue fully and comply with EU GDPR breach notification requirements.”

Although it is unclear whether Deliveroo is at risk from hefty GDPR fines,  the Deliveroo fraud incident highlights that companies, and customers, must be vigilant, especially considering the frequency of large-scale breaches. Commenting on the news, Javvad Malik, security advocate at AlienVault believes that certain security practices are necessary:

“In today’s world, it is relatively easy for a company to go from concept to product in a short span of time. However, speed should not come at the expense of security, particularly where is comes to customers personal and financial data. The more data a company holds, the bigger the risk it carries, therefore, it should be careful in which data it stores and how – segregating systems where necessary and offloading certain aspects of security to trusted third parties, such as financial transactions as opposed to holding and processing all information in-house.”

A Deliveroo spokesperson told Verdict that the company was working to ensure customers are protected:

“Deliveroo takes security extremely seriously and is constantly working to combat fraud on behalf of our users. Sadly fraudsters rely on the fact that people reuse the same passwords on multiple online services and use data breaches elsewhere to try gain access to other accounts on the web. As soon as any customer makes us aware of fraudulent activity we immediately suspend their account to prevent further fraud. We regularly advise customers to strengthen their online security by using different passwords online.”

They also said that the company had measures in place to ensure GDPR compliance:

“We have a number of active security measures looking for fraudulent orders, which try to block fraudulent orders, and we’re constantly trying to improve the service, but you’re in a cat and mouse game where if somebody can get hold of a user’s password because they use the same password all over, you’re constantly working out how they got access and you’re trying to block that.

“We complied with our obligations for GDPR…we have security measures including encryption and password hashing to keep user information secure and in terms of reporting commitments, we comply.”