Deliveroo, the takeaway food app, is the latest business to suffer an embarrassing data breach after an investigation by the BBC’s Watchdog programme showed customers have had their accounts hacked and been charged for food that they had not ordered.
Launched in 2013, the offers customers access to nearby takeaway services in dozens of towns and cities across the UK. But it seems some customers have been getting more than they bargained for, with one saying that £200 was spent on burgers delivered to numerous addresses – but not their home.
One user told Watchdog: “I noticed that I had a ‘thank you’ email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.”
Meanwhile another was charged £113.70 for chicken, waffles and chips that she did not order while a third was charged £98 for a delivery from TGI Friday which was 86 miles away from his home.
The firm insisted the hacks were carried out using passwords stolen in previous data breaches on other companies and denied that any financial data had been stolen. All of the customers have now been refunded.
In a statement, Deliveroo said: “Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem, we take it very seriously.
“We are aware of these cases raised by Watchdog – they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach.”
Adult site confirms 419m users have been exposed
Three would face whopping £1.8bn fine under GDPR
17-year-old lad pleads guilty to TalkTalk ‘car crash’
TalkTalk could have faced £70m fine under GDPR
Blunder exposes 50,000 Virgin Media job applicants