Cyber Incident Victim: Grabull
Date:
Apr 2021
Location:
United States of America
Summary
A breach involving Grabull and another unnamed online ordering platform compromised payment card data from hundreds of affiliated restaurants. Attackers deployed Magecart skimming attacks through these third-party services, indirectly exposing transactions processed via the platforms, with approximately 343,000 payment cards affected across multiple breaches. The incident highlighted risks to restaurants utilizing centralized ordering infrastructure, as criminal groups exploited vulnerabilities to steal card information without direct compromise of individual restaurant systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2021, Gemini Advisory reported a series of breaches impacting five online restaurant ordering platforms, compromising approximately 343,000 payment cards over the preceding six months. The incident involved two distinct operational models. Three platforms—including Easy Ordering and E-Dining Express—provided direct ordering and point-of-sale infrastructure to individual restaurants, enabling attackers to steal card data directly from at least 70 affected establishments. Grabull and another unnamed platform operated as third-party aggregators, similar to Grubhub or DoorDash, serving hundreds of restaurants by complementing their existing ordering systems. In this model, payment card data was stolen indirectly from customers who placed orders through the compromised platforms. Gemini attributed the breaches to veteran cybercriminal groups like "Keeper," which deployed Magecart-based attacks—a technique typically involving malicious scripts injected into payment pages to harvest card details. The report did not specify the exact timeline of intrusions or detection methods but indicated the breaches were part of a broader surge in card-not-present fraud targeting pandemic-driven increases in online food ordering.
The breaches exposed card data from transactions processed through both types of platforms, though the report did not disclose the exact number of affected restaurants using Grabull’s service. Gemini noted the incidents highlighted systemic risks for restaurants relying on third-party vendors for payment processing. Following the April 29 report, Gemini later revised its blog post in early May, removing references to two entities—including Grabull’s originally named counterpart—citing sensitivity around ongoing investigations. DataBreaches.net updated its coverage to reflect these edits after being contacted in September 2021 by a legal team representing one unnamed firm, which claimed Gemini’s initial reporting was inaccurate and damaging. Gemini’s revisions were characterized as clarifications rather than retractions. No specific containment measures or technical responses from Grabull or other platforms were detailed in the available reporting. The primary documented consequences included reputational disputes and the exposure of hundreds of thousands of payment cards, with Gemini urging restaurants to audit their third-party vendors’ security practices.