Given the size and scale of the incident, it remains unclear why it took several months for DoorDash to publicly address the incident. Furthermore, this is not the first data breach to affect the company. In 2018 DoorDash customers’ notified the company their accounts were hacked in an apparent data breach, according to TechCrunch.
In terms of the implications on service users:
Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen.
Consumers had the last four digits of their payment cards taken, though full numbers and card verification values (CVV) were not taken.
Both delivery workers and merchants had the last four digits of their bank account numbers stolen.
Around 100,000 delivery workers had their driver’s license information stolen.
The incident comes on top of a major expansion with DoorDash’s services. In February 2019, DoorDash announced $400 million in Series F funding and the company says the funding came at a $7.1 billion valuation. The company’s growth can be attributed to its reach of 3,300 cities across the U.S. and Canada. The new data breach will not be helpful in terms of further expansion given the extent that the digital economy is powered by trust. This factor becomes increasingly more important with these types of sharing economy companies who rely on collaboration and communication through trusted parties.
Speaking with Digital Journal about the incident, Peter Goldstein, CTO and Co-founder, Valimail explains the size of the issue: “DoorDash’s data breach — which exposed names, email addresses, delivery addresses, order history, phone numbers, and hashed passwords — puts close to 5 million people at an increased risk for phishing attacks and other fraudulent activity.”
He goes on to explain what hackers might do with this data: “Cybercriminals can use this kind of data, in combination with effective and widely used email impersonation techniques, to send people especially convincing phishing emails. If successful, these phishing attacks can lead to account takeover, identity theft and other scams. In fact, 83 percent of phishing emails are brand or company impersonations.”
Goldstein also expands on the notion of trust in relation to the sharing economy: “Trust is an essential aspect of day-to-day life. People need to be able to trust that the companies and services they use, or work for, are going to protect their sensitive, personal data. Organizations must do a better job at securing that data in order to maintain trust. Additionally, people need to be able to trust that emails they receive are actually sent by real people or entities, as opposed to cybercriminals leveraging impersonation techniques.”
In terms of how businesses like DoorDash can better protect themselves, Goldstein recommends: “Email security solutions that focus on authenticating sender identity are critical to fostering an atmosphere of trust with email communication. This will also help reduce data breaches, since phishing emails are implicated in more than 90 percent of all cyberattacks.”
In addition, Robert Prigge, president of Jumio adds taht Doordash’s breach “highlights why online accounts need to be protected with much stronger forms of authentication, such as biometric-based authentication, which not only more convenient for consumers than traditional methods, but it is also much more secure.”
