Cyber Incident Victim: Glovo

On April 29, 2021, Spanish delivery startup Glovo became aware of unauthorized access to one of its systems by a malicious third party. The breach was discovered after cybersecurity firm Hold Security alerted Forbes to screenshots and videos posted by a hacker demonstrating access to Glovo’s account management systems. The hacker had infiltrated the company through an outdated administration panel interface and was actively selling access to customer and courier accounts, including the ability to change passwords. A Glovo user confirmed the authenticity of the compromised data to Forbes, prompting disclosure to the company on April 29. Glovo confirmed the breach on May 3, stating it had blocked the attacker’s access by placing the affected system behind a firewall and conducting log analysis to investigate potential data leaks. The company emphasized that no customer payment card information was accessed, as it does not store such data.

Glovo notified Spain’s data protection authority (AEPD) and committed to cooperating with its investigation. Forensic analysis revealed evidence of the hacker’s presence in the system but found no proof of data exfiltration. The hacker continued offering access to Glovo’s systems as of May 3, raising concerns about exposure of couriers’ international bank account numbers (IBANs) and tax IDs. Hold Security founder Alex Holden warned that unencrypted data could facilitate fraud and privacy violations, exacerbated by the pandemic’s reliance on delivery services. Glovo countered that personal data at rest was encrypted and required authenticated logins with sufficient permissions for access. The company completed system containment by April 30 but did not disclose the full scope of compromised data or the breach’s duration prior to detection.