Food delivery giant Grubhub confirmed a significant data breach involving unauthorized access to its internal systems, compromising the personal information of customers, drivers, and merchants. The Illinois-based company revealed that the incident was traced back to a third-party service provider.
How the Breach Occurred
Grubhub identified “unusual activity” within its network, which led to the discovery of a compromised account linked to a third-party vendor. In an official statement, the company confirmed that it immediately revoked the provider’s access and severed ties with the service, removing them from its systems entirely.
Data Impacted: What Was Stolen?
The intrusion specifically targeted individuals who interacted with Grubhub’s customer care services, as well as users of the Campus Dining program, which integrates university meal credits with the delivery platform. While the company has not disclosed the exact number of affected users, it confirmed that the stolen data includes:
- Full names
- Email addresses
- Phone numbers
- Partial payment card information (last four digits only) for a subset of campus diners
- Hashed passwords for specific legacy systems
Grubhub explicitly stated that full bank account details and Social Security numbers remain secure and were not part of the data exposed during this incident.
Scope and Timeline Uncertainties
Despite the disclosure, several critical details remain under wraps. Grubhub has yet to announce a specific timeline regarding when the breach took place or the total count of impacted individuals across its network. The platform, which operates in over 4,000 U.S. cities and supports more than 375,000 merchants and 200,000 delivery providers, was acquired by New York-based Wonder Group last fall for $650 million.
The company has not yet provided further commentary regarding the ongoing investigation or potential notifications to regulatory bodies.