Cyber Incident Victim: Grubhub

In April 2021, cybersecurity firm Gemini Advisory reported breaches impacting five online restaurant ordering platforms over a six-month period, compromising approximately 343,000 payment cards. The affected platforms operated under two distinct models. Three platforms—including Easy Ordering and E-Dining Express—provided direct ordering and point-of-sale infrastructure to individual restaurants, enabling threat actors to steal payment data directly from at least 70 restaurants using these services. Two other platforms—Grabull and an unnamed entity—functioned as third-party ordering systems complementing restaurants' existing infrastructure, similar in structure to larger services like Grubhub. In this secondary model, payment card data was stolen indirectly from any restaurant that processed orders through the compromised platforms. The breaches stemmed from Magecart attacks deployed by the "Keeper" hacking group, which injected malicious code to harvest card details during online transactions.

Gemini Advisory's initial report named specific entities but later edited its findings in early May 2021 to remove two platform names, citing sensitivity and ongoing investigations. The firm clarified this revision was not a retraction or correction of its original findings. The breaches exposed vulnerabilities in third-party ordering systems used by hundreds of restaurants, with stolen card data appearing on dark web marketplaces. No direct mitigation actions by affected restaurants or platforms were disclosed in the report. Gemini emphasized the challenges for consumers in identifying compromised platforms, as transactions often appeared to originate from restaurant-branded sites rather than the underlying third-party services. The incident highlighted systemic risks in the restaurant industry's reliance on centralized online ordering infrastructure during increased pandemic-driven demand.