Grubhub Reports Data Breach Affecting Some Diners, Drivers and Merchants

Online food delivery marketplace Grubhub said Monday (Feb. 3) that it recently identified an incident involving a third-party contractor in which there was unauthorized access to certain user contact information.

“We took immediate action to contain the situation and have worked with leading forensic experts to investigate the matter,” the company said in a Monday press release. “We are confident that the incident has been fully contained.”

During the incident, an unauthorized individual accessed data of campus diners and of diners, merchants and drivers who interacted with Grubhub’s customer care service, according to the release.

The data included names, email addresses, phone numbers, and for a subset of campus diners, payment card type and last four digits of the card number, per the release.

It also included hashed passwords for some legacy systems, the release said, adding that Grubhub “proactively rotated any passwords that we believed might have been at risk.”

After detecting unusual activity and investigating the incident, Grubhub found that the intrusion began with an account belonging to a third-party service provider for the company’s support team, according to the release.

Grubhub terminated the account’s access and removed the service provider from its systems, per the release.

To address the incident, the company partnered with a third-party cybersecurity firm to investigate what happened, rotated all relevant passwords to prevent potential unauthorized access, and deployed additional anomaly detection mechanisms across its internal services, according to the release.

“We have taken decisive steps to further secure our systems and are actively strengthening our security controls to prevent similar incidents in the future,” Grubhub said in the release.

Some of the most sophisticated and damaging cyberattacks in history happened in 2024, underscoring the vulnerability of the digital operating landscape, PYMNTS reported in December.

The year’s events included ransomware attacks that crippled critical infrastructure and data breaches that compromised millions of user records.

In October, Bank of America said in an investor note, “If cybercrime damage were a state, it would be the world’s third-largest economy.”

The financial institution’s note added that the average cost of a data breach had risen 10% in 2024.