Cyber Incident Victim: EatStreet

On May 3, 2019, an unauthorized third party gained access to EatStreet's database, compromising customer payment information and sensitive partner data. The breach remained undetected until May 17, 2019, when the company discovered the intrusion and promptly terminated the unauthorized access. The attacker exfiltrated information present in the database as of the intrusion date, including payment card details for a limited number of customers - specifically names, credit card numbers with expiration dates and verification codes, billing addresses, email addresses, and phone numbers. For delivery drivers and restaurant partners, the compromised data included names, addresses, phone numbers, email addresses, and critically, bank account and routing numbers. The company did not disclose the exact number of affected individuals but operated in over 1,100 cities with 15,000 restaurant partners, while its Android app had over 100,000 installations at the time of reporting.

EatStreet responded by engaging an external IT forensics firm to investigate the incident and conducted system audits to verify no additional unauthorized access occurred. The company implemented enhanced security measures including reinforced multi-factor authentication, credential key rotation, and coding practice reviews. Notifications were sent to affected customers and partners without law enforcement-related delays, while credit card processors received breach alerts to implement protective measures. The investigation remained ongoing at the time of disclosure, with no evidence found of further system compromises beyond the May 3 intrusion. EatStreet emphasized continuous collaboration with external security experts to strengthen its security controls following the breach.