Grubhub Acknowledges Data Breach Impacting Customers and Drivers

Grubhub, the prominent U.S. food delivery service, has reported that hackers gained access to the personal information of customers and drivers following a breach of its internal systems.

With over 375,000 merchants and 200,000 delivery providers operating in more than 4,000 cities across the U.S., Grubhub is a widely used food ordering and delivery platform. The company was acquired by New York-based Wonder Group last fall in a deal valued at $650 million, significantly less than the $7.3 billion that Just Eat Takeaway paid for it in 2020.

On Monday, Grubhub announced a data breach that has impacted the personal data of an undisclosed number of customers, merchants, and drivers. The company detected "unusual activity" within its network, which it traced back to a third-party service provider.

"Upon discovery, we promptly launched an investigation, identifying unauthorized access to an account associated with this provider," Grubhub stated. "We immediately terminated the account’s access and removed the service provider from our systems entirely."

The breach allowed hackers to access personal information of customers, merchants, and drivers who had interacted with Grubhub's customer care service. It also affected users of Grubhub’s Campus Dining service, which enables university students to use their meal credits on the app.

Grubhub reported that the accessed personal details include names, email addresses, phone numbers, and partial payment card information—specifically the last four digits of the card number—for a "subset" of campus diners. Additionally, hashed passwords for certain legacy systems were compromised, although Grubhub confirmed that bank account details and Social Security numbers were not affected.

While Grubhub has not disclosed the number of individuals impacted by the breach, it has also not confirmed when the incident took place.