Grubhub has disclosed a security breach that exposed customer and driver contact information due to unauthorized access through a third-party service provider. The Illinois-based food delivery company, recently acquired by New York’s Wonder Group, announced the incident on Monday.
According to Grubhub, the breach was discovered after detecting “unusual activity” involving a third-party contractor providing support services. The company said it immediately terminated the contractor’s access and removed them from its systems. “We are confident that the incident has been fully contained,” Grubhub stated in a press release.
The compromised data includes names, email addresses, and phone numbers of campus diners, as well as other diners, merchants, and drivers who interacted with Grubhub’s customer care service. In addition, some campus dining users had their payment card type and the last four digits of their card numbers exposed. Hashed passwords from certain legacy systems were also accessed, but the company emphasized that Grubhub Marketplace customer passwords remained secure.
Grubhub assured customers that sensitive financial and personal information—including full payment card numbers, bank account details, Social Security numbers, driver’s license numbers, and merchant login credentials—was not compromised. As a precaution, the company has rotated at-risk passwords and urged users to maintain unique credentials for added security.
In response to the breach, Grubhub has partnered with cybersecurity experts to investigate, strengthened credential security, and enhanced monitoring systems. “We have taken decisive steps to further secure our systems and are actively strengthening our security controls to prevent similar incidents in the future,” the company said.
Grubhub has not disclosed how many customers were affected and has yet to respond to further requests for comment.
