Hacker Steals Customer Payment Information in EatStreet Data Breach
EatStreet online food ordering service revealed a security incident in May that led to a data breach involving customer payment card information and sensitive information from delivery and restaurant partners.
EatStreet “currently serves over 15,000 restaurants in over 1,100 cities” according to the company’s website and is a “one stop shop for online ordering and marketing” by offering to partner restaurants. web, mobile and social products for online ordering. “
Although the number of customers and partners affected by the security incident is not provided in the data breach notifications sent to affected parties, the company’s Android app had more than 100,000 installations as of June 5, 2019, according to the information available on its Google Play Store. Entrance.
EatStreet says the hacker was able to access their database between May 3 and May 17 when the breach was detected:
On May 3, 2019, an unauthorized third party gained access to our database, which we discovered on May 17, 2019. The unauthorized third party was able to acquire information that was in our database on May 3, 2019. We were, however, able to quickly end the unauthorized access to our systems when we discovered the incident.
The company sent separate violation alert letters to delivery and restoration partners, indicating that the hacker was able to access information such as names, addresses, phone numbers, e-mail addresses, etc. -mail, as well as bank accounts and routing numbers.
In the case of customers who have used the EatStreet platform to place food orders, the information involved in the data breach includes payment card information for a limited number of diners, with the hacker having access to the data, including including names, credit card numbers (with expiration dates and card verification codes), billing addresses, email addresses and phone numbers.
After the incident was detected, the company “hired a leading external computer forensics firm to respond to and investigate the incident. We audited our systems to validate that there was no other unauthorized access “.
The notifications were sent out with very little delay as no law enforcement agency is involved in the ongoing investigations according to EatStreet:
EatStreet continues to work with external experts to identify other steps it can take to improve its security controls. While our investigation is ongoing, no law enforcement investigation has delayed notification.
EatStreet has also alerted credit card payment processors so that they are aware of the violation and act accordingly to protect their customers.
“In addition, we have improved the security of our systems, including strengthening multi-factor authentication, rotating identification keys and reviewing and updating coding practices,†EatStreet also said in the notifications. of violation.