Instacart denies security breach of customer data

Dive Brief:

Instacart shoppers’ personal information including names, order histories, addresses and credit card info and data are being sold on the dark web, according to BuzzFeed News.
As of Wednesday, sellers on two dark web sites were found to be selling information from 278,531 accounts, some of which could be duplicates or fake, the news site reported. Instacart currently has millions of customers across the U.S. and Canada. Account information was being sold for $2 per customer.
The information found on the dark web dates back to at least June up until July 22. Instacart told Grocery Dive it isn’t aware of a data breach.

Dive Insight:

Instacart told Grocery Dive it has a security team and multiple layers of security measures across common vectors designed to protect its customers. If the company felt like customers’ accounts were compromised, Instacart said it would send shoppers a message to auto-force them to change their login info.

But Instacart said it cannot control attackers that may target individuals outside of its platform using phishing or credential stuffing techniques. This happens when someone uses similar login credentials across multiple websites and apps.

A cybersecurity expert told BuzzFeed the information collected looks recent and “legit” after reviewing the accounts. And two women whose personal information was for sale on the dark web confirmed they were Instacart users and that their order history and credit card numbers matched, according to BuzzFeed.

One of the women told BuzzFeed she does not reuse passwords on different websites and apps.

As cyber attacks grow increasingly sophisticated and e-commerce continues to gain momentum, grocery delivery companies and retailers have become targets for hackers, making cybersecurity a priority for these companies.

In 2017, Target had to fork over $18.5 million to 47 states as part of a settlement over a security breach that occurred in 2013 and compromised credit card numbers and other information from millions of consumers.

In 2019, Hy-Vee found that its payment systems were breached by malware at certain point-of-sale systems at its fuel stations, drive-thru coffee shops, Market Grille, Wahlburgers and the cafeteria at its headquarters. At one point, grocers were the top channel for data breaches.