Cyber Incident Victim: Easy Ordering
Date:
Apr 2021
Location:
United States of America
Summary
A cybersecurity incident involving an online ordering platform compromised payment card data from hundreds of restaurants through breaches affecting multiple service providers. Attackers deployed Magecart skimming attacks targeting card-not-present transactions, impacting approximately 343,000 payment cards across two operational models—direct restaurant ordering infrastructure and third-party aggregation services. The breach exposed transactions from at least 70 distinct restaurants using platforms like Easy Ordering, with veteran hacking groups exploiting centralized payment processing systems. While forensic investigations prompted reporting revisions, the incident underscored systemic vulnerabilities in restaurant-oriented digital payment ecosystems during increased online ordering activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2021, a series of breaches targeting online restaurant ordering platforms compromised approximately 343,000 payment cards over a six-month period leading up to April 29, 2021. Gemini Advisory identified five affected companies, including Easy Ordering and E-Dining Express, which provided direct ordering and point-of-sale infrastructure to individual restaurants. Attackers deployed Magecart-style skimming attacks, attributed to the "Keeper" hacking group, to steal card data during transactions. Three platforms operated as primary ordering systems integrated with restaurants' own POS solutions, exposing transactions from at least 70 distinct restaurants. Two additional platforms, including Grabull and an unnamed entity, functioned as third-party aggregators similar to Grubhub or DoorDash, indirectly compromising card data from hundreds of affiliated restaurants. The breaches capitalized on increased online food ordering during the COVID-19 pandemic, targeting both restaurant-specific infrastructure and regional delivery intermediaries.
Gemini Advisory publicly disclosed the incidents on April 29, 2021, noting the breaches affected restaurants that unknowingly relied on compromised platforms. No specific containment measures by the platforms or restaurants were detailed in available reports. In early May 2021, Gemini edited their original blog post to remove two company names and adjust descriptive text, citing sensitivity and ongoing investigations. A legal representative for one unnamed entity later contested Gemini's initial reporting as inaccurate and damaging, though Gemini's revisions were characterized as clarifications rather than retractions. The breaches exposed cardholder names, numbers, expiration dates, and CVV codes, enabling criminal CNP fraud. Consumers received generalized guidance through media outlets about monitoring statements and using virtual cards, but no coordinated remediation efforts for affected individuals were described. The incidents highlighted systemic vulnerabilities in third-party ordering ecosystems without revealing technical specifics of the attacks or forensic timelines.