Back in 2016, BBC Watchdog reported that large numbers of Deliveroo customers were seemingly being charged for items they didn’t order, with onlookers speculating that the company had been the victim of a significant data breach.
At the time, multiple Deliveroo customers reported that food they hadn’t ordered, to addresses they didn’t recognise, was being charged to their accounts – with some eye-watering orders amounting to charges of over £100.
Yet as far as could be seen, no details had been compromised, and no breach had ever taken place. Deliveroo rationalised the issue, explaining that users were likely just repeating passwords that were easy for hackers to guess – and that’s something we’ve advised against ourselves. Victims were subsequently reimbursed, and Deliveroo was considered uncompromised.
Earlier this year, the accusations resurfaced as more and more angry customers took to social media, each convinced that Deliveroo had fluffed their personal data and left their bank accounts reeling. At this time, Deliveroo had in fact already reported fraudulent spending to the Information Commissioner’s Office after a customer complaint, and confirmed that no breach had taken place. In an (arguably acerbic) article by the New Statesman, one journalist and victim suggested a GDPR intervention – though Deliveroo’s equally forthright response claims this was based on “flawed assumptions”.
It’s unfortunate that the company can’t shrug the accusations, not least when several of us are still guilty of reusing the same old passwords.
It’s easily done. Our reliance on multiple online services means we’re forced to remember a bewildering number of passwords, and the crude solution for many is to keep them all the same.
Some of us may have adopted a workaround, amending the password slightly for each service we use - but hackers who gain your password elsewhere have since learned to anticipate this trick, and will add extra digits to your password to aid brute-forcing techniques. What’s a user to do?
Mirus Managing Director Paul Tomlinson sat with Sales Director Dan Sharp to discuss the reason for the Deliveroo breach and how, in the era of the password-protected everything, users can avoid the most common security mistakes.