EatStreet Data Breach Customer Payment Info

EatStreet Data Breach

Online food ordering service EatStreet reported a May security incident leading to a data infringement involving information from the custodian card and sensitive information from delivery partners and restaurant partners.

EatStreet currently “serves over 15,000 restaurants in more than 1,100 cities” according to the company’s website, and it is a “one-stop shop for online ordering and marketing,” offering online ordering, mobile, and online social products to partner restaurants, while the data violation notifications do not provide customers and partners affected by the security incident

EatStreet says that between 3 and 17 May, the hacker had access to his database when a breach had been detected:

An unauthorized third party had access to our database on 3 May 2019, which we found on 17 May 2019. On 3 May 2019, the unauthorized third party could acquire information contained in our database. However, when we discovered the incident, we were able to stop unauthorized access to our systems immediately.

The company sent delivery and restaurant partners separate breach alert letters saying the hacker was able to access information such as names, addresses, telephone numbers, email addresses, bank accounts and routing numbers.

For customers who made food orders using the EatStreet platform, the data breach information includes payment card information for a limited number of diners, with the hacker having access to data including names, credit card numbers (with expiry dates and card verification codes), billing addresses, email addresses, and telephone numbers.

After the incident was detected, the company “hired a leading external IT forensics firm to respond and investigate the incident. We audited our systems to validate that there was no other unauthorized access.”

Notifications were sent with very little delay given that no law enforcement agencies are involved in the ongoing investigations as per EatStreet:

EatStreet continues to cooperate with external professionals with a view to identifying other measures it can take to improve its security controls. There has been no legal enforcement investigation, which has delayed notification of you while our investigation continues.

EatStreet has also alerted credit card payment processors to be aware of the infringement and to protect their customers accordingly.

“In addition, we have enhanced the security of our systems, including strengthening multi-factor authentication, rotating credential keys, and reviewing and updating coding practices,” says EatStreet in the breach notifications.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.