A Wisconsin-based company named EatStreetis one of many successful businesses around US when it comes to online food ordering and delivery services. With more than 100,000 installs in the company’s android app on Google Play store, EatStreet is one of the leading online and mobile food ordering service currently servicing over 15,000 restaurants in more than 1,100 cities. Based on what the company has achieved, it is more likely to be targeted by cybercriminals. Nowadays, thieves gain more information by targeting individuals through phishing, malware attacks, and/or other forms of social engineering.
Recently, EatStreet disclosed to the public that a security breach hit the company’s database compromising customer’s and diner’s information including names, phone numbers, email addresses, and credit card numbers with expiration dates and card verification codes. For its restaurant and delivery partners compromised information may include their company name, clients name, company address, phone number, email address, bank account and routing number. Customers who used the EatStreet service, either through the android app or through their website were affected by the said security breach.
As per the California State Attorney General’s office, the company immediately sent notification letters to its diners, delivery and restaurant partners informing that on May 17, 2019 they became aware that an unauthorized third party gained access to their database last May 3, 2019. This incident allows hackers to acquire information that was stored in their database. And that even though the company promptly terminated the unauthorized access to their systems upon discovering the incident, it was too late to stop the information from being compromised.
After detecting the data breach, they immediately hire cybersecurity experts to conduct an investigation regarding the incident and to provide them with online fraud prevention measures.Together with the help of these experts, they found out that the hacker who was responsible for this data breach hides with twitter username, Gnostic players, the same hacker who previously breached many other online services and claimed to have accessed 6 million records in the incident.
EatStreet have also audited and enhanced their systems by reinforcing multi-factor authentication, rotating credential keys, and reviewing and updating coding practices, to validate that there was no other unauthorized access. EatStreet continues to work with outside security experts to identify other cybercrime solutions it can take to improve its online fraud prevention plan. While the investigation was on going, there was no law enforcement investigation that delayed notification to customers. Credit card payment processors was also alerted in order for them to be aware and act accordingly to protect their diners and delivery and restaurant partners.
A cybersecurity researcher said in a statement that with the number of mobile or cloudbased consumer services a person leverages day-to-day, and the two-week time to detect for complete access to the database that contains some of the most sensitive PII, this incident shows that consumers deserve organizations who will proactively hunt for threats to minimize the risk to consumer’s data. EatStreet did not provide the exact number of customers and partner firms affected by the security breach, but the company operates in dozens of cities in 38 states and the District of Columbia.