Cyber Incident Victim: Just Eat Takeaway.com
Date:
Mar 2020
Location:
Germany
Summary
A German food delivery service, Takeaway.com (operating as Lieferando.de), suffered a distributed denial-of-service (DDoS) attack during a period of heightened demand due to public health restrictions. Cybercriminals demanded a ransom of two bitcoins (approximately $11,000) to halt the attack, which disrupted order processing and forced the company to place systems into maintenance mode for security. Customers reported orders being accepted but not processed, prompting the service to offer refunds for undelivered online payments upon direct contact. The attack significantly impacted operations across its network of over 15,000 partner restaurants before ceasing, with the company subsequently addressing residual effects.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 19, 2020, Takeaway.com's German subsidiary Lieferando.de experienced a distributed denial-of-service (DDoS) attack during heightened demand for food delivery services amid COVID-19 restrictions. Germany had implemented strict measures to curb virus transmission, including limited restaurant operating hours, reduced seating capacity, and mandated closures between 6pm and 6am. This led to increased reliance on delivery platforms, with Lieferando facilitating orders from over 15,000 partner restaurants. Attackers exploited this dependency by launching a DDoS siege against Lieferando's systems, crippling website functionality. The assailants demanded a ransom of 2 bitcoins (approximately $11,000) to cease the attack, threatening to expand their targeting to other company assets if unpaid. Takeaway.com CEO Jitse Groen publicly disclosed the incident via Twitter, sharing a screenshot of the extortion demand. The company's German operations subsequently announced they had entered maintenance mode to secure customer data, acknowledging that the defensive measure would cause order processing delays.
Despite system disruptions, Lieferando's platform continued accepting new orders from customers, resulting in numerous transactions that could not be fulfilled. Affected users reported non-processing of payments and undelivered meals. In response, Takeaway.com announced via Twitter that customers with unpaid online orders would receive refunds, though this required manual requests submitted via email rather than automated reimbursement. The attack significantly disrupted operations for both consumers and restaurant partners reliant on timely order fulfillment during peak demand. By March 19, 2020, Takeaway.com confirmed to BleepingComputer that the DDoS campaign had ceased, allowing service restoration while the company addressed residual operational impacts. The incident underscored how cybercriminals leveraged pandemic-induced vulnerabilities in critical service infrastructure during a public health emergency.