Cyber Incident Victim: Delivery Club

On or around May 20, 2022, Russian food delivery service Delivery Club publicly confirmed a data leak involving customer orders processed between May 2020 and July 2021. The breach exposed approximately 250 million rows of sensitive customer information, including delivery addresses, phone numbers, and email addresses. The company did not disclose the exact date of discovery or the specific technical vector through which the data was compromised. Public reporting indicated the origin of the breach remained unidentified at the time of confirmation, with no attribution to specific threat actors or methods. The compromised data spanned 14 months of transactions, suggesting potential systemic vulnerabilities in data storage or processing systems during that period. Delivery Club did not initially clarify whether the leak resulted from external intrusion, insider threats, or inadvertent exposure.

The incident represented one of the largest publicly disclosed consumer data exposures in Russia's delivery sector at the time, affecting an unspecified number of individuals whose personal information appeared in the leaked records. Delivery Club's confirmation constituted its primary documented response action, with no additional remediation measures or forensic findings detailed in available sources. The exposure of physical addresses alongside contact details elevated privacy risks for affected customers, potentially enabling targeted phishing campaigns or physical security threats. No information was released regarding regulatory notifications, customer compensation efforts, or system enhancements implemented post-disclosure. The breach's operational consequences and financial impact on Delivery Club remained unquantified in public reporting.