(NEXSTAR) — Food delivery service Grubhub says a “security incident” allowed “unauthorized access” to the contact information for an unknown number of customers and drivers.
The breach involved a third-party service provider, the company said Monday, explaining that an investigation was recently launched after “unusual activity” was detected. The third-party contractor was reportedly providing services for Grubhub’s Support Team.
“We immediately terminated the account’s access and removed the service provider from our systems altogether,” Grubhub said in a press release, adding that it is “confident that the incident has been fully contained.”
It’s not clear how many users were impacted by the data breach, though Grubhub notes that “contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service” was accessed.
That data includes names, email addresses, and phone numbers. For some Campus Dining users (this service is for students to use on and off campus), Grubhub says the payment card type and the last four digits of the card’s number were also accessed.
While some hashed company passwords were accessed, no customer passwords were impacted. Grubhub is, however, reminding customers that their passwords should be unique “to minimize risk.”
According to Grubhub, full payment card numbers, bank account details, Social Security numbers, driver’s license numbers, and merchant login information were not accessed by the unauthorized party.
“We have taken decisive steps to further secure our systems and are actively strengthening our security controls to prevent similar incidents in the future,” the company said. Grubhub did not immediately respond to Nexstar’s request for additional information.
Grubhub, based in Illinois, was recently purchased by New York-based Wonder Group.
