In September, DoorDash confirmed that 4.9 million users were affected by a data breach that took place in May. The company did not say why it took five months to detect the breach.
In a blog post, DoorDash said that an unauthorized third party access some user data on May 4, 2019, immediately launching an investigation and blocking further access by the unauthorized third party.
DoorDash did not name the third party at the time of this publication.
Not every user was affected by the data breach. Approximately 4.9 million consumers, Dashers and merchants who joined the platform on or before April 5, 2018 were affected. Those who joined after April 5, 2018 were not affected.
The type of user data access could include:
- Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.
- For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or a CVV was not accessed.
- For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed.
- For approximately 100,000 Dashers, their driver’s license numbers were also accessed.
The company has reached out directly to affected users with specific information regarding what was access. At the time of this publication, user passwords have not been compromised, but DoorDash is encouraging all those affected to reset their passwords.
Now, the state of New York is suing the company, alleging the company breached its duty of care by failing to safeguard the information of its users and drivers. The suit alleges negligence, unjust enrichment and other counts.
The lawsuit details on the data breach, alleging that 100,000 drivers for the defendant had driver's license details hacked as well. It also alleges the company didn't alert users of the data breach until September.
“This allowed the private information of plaintiff and class members to be circulated and available on the internet and likely on the ‘dark web,’ a part of the internet that is notorious for the trading in private and hacked data,” the lawsuit states.
The plaintiff, Melissa Nelson, alleges she and the proposed class members may or will endure the loss of access to online accounts because of the breach, expecting her personal information is on sale on the dark web.
She asked the court to green-light the class and certify her as a class representative, an order fpr DoorDash to correct the issue, and to be granted monetary damages and interest as well as attorney fees and court-related costs. She’s represented by Spencer Sheehan of Sheehan & Associates PC in Great Neck, New York.
This article was originally posted in September 2019 and has been updated to reflect current information.