Deliveroo and Just Eat data governance hard to swallow

mobile 2Two of the most popular takeaway apps in the world, Deliveroo and Just Eat, have had their data governance called into question amid fresh claims by customers that their accounts have been hacked and used to buy food they had not ordered.
A number of Deliveroo customers have told the BBC they only found out that their accounts had been accessed when they received an email from the company saying the email address linked to their account had been changed.
However, one customer claimed Deliveroo took five days to shut his account after he reported fraudulent activity.
Both firms insist their own systems have not been breached and passwords have been obtained from another source. Deliveroo said it had introduced new measures this year to protect users.
However, the firm peddled out exactly the same “not us, guv” excuse as as far back as 2016, when BBC’s Watchdog programme exposed similar issues.
Meanwhile, Just Eat also confirmed it had received reports of “isolated” fraudulent activity, which it said appeared to be the result of “malicious third parties using usernames and passwords from an unknown source”.
Last week, one Just Eat customer posted on Twitter that they had cancelled their bank card after it was fraudulently used to purchase food trough the app. The customer claimed they had been told by the company’s customer services they had received “numerous calls” about similar issues that day.
The firm maintained it took customer data security “extremely seriously” and was liaising with those who had reported fraudulent activity.
The issue will be highly embarrassing for Just Eat bosses; last year they announced they would be joining a new World Federation of Advertisers advisory board to develop a data ecosystem that would go way beyond the requirements of GDPR.
Article 33 of the regulation dictates that, in the event of a personal data breach, data controllers must notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it”.

Related stories
Takeaway fans hit where it hurts in Deliveroo breach
Global brands commit to go beyond GDPR compliance
Half of UK firms would pay ransom to avoid GDPR fine
ICO reveals it has 10,000 data breach cases to probe
Uber fined £900,000 over ‘complete disregard’ for data
TalkTalk back in dock for keeping quiet over stolen data
Top tourist attractions hit by 110m data theft attacks

Print Friendly