Ikea-owned TaskRabbit hit by apparent data breach

Dive Brief:

TaskRabbit, which was acquired last year by Ikea, shut down its website and app Monday following a "cybersecurity incident" that was apparently a data breach, according to Gizmodo and statements from the company. It is now back online.
The size and nature of the breach, as well as how it occurred, has not yet been reported by TaskRabbit, an online marketplace for freelance moving, cleaning and handyman tasks.
"While our investigation is ongoing, preliminary evidence shows that an unauthorized user gained access to our systems," TaskRabbit CEO Stacy Brown-Philpot said in an online statement. "As a result, certain personally identifiable information may have been compromised."

Dive Insight:

TaskRabbit has apparently suffered a data breach of unidentified size and scope. It is also unknown whether Ikea had any exposure in the cyber crime.

TaskRabbit said it hired a forensics team to investigate and promised transparency as more information is known. "This is not the last time you will hear from us," Brown-Philpot said in her statement. She added that the firm has been working "around the clock" since Monday to investigate and get back online. Updates will be posted on a dedicated page on the company's website, https://www.taskrabbit.com/update.

TaskRabbit has over 1.5 million users and over 60,000 "taskers" who make money by offering their services on the platform, according to Mashable. It operates in 40 U.S. and U.K. cities. All users and taskers have been advised to immediately change their passwords and monitor their accounts for suspicious activity.

Brown-Philpot said the company is taking additional measures to improve the security of systems. These include: "[e]xamining ways to make our login processes more secure; evaluating our data retention practices to reduce the amount of data we hold on taskers and clients, where appropriate; and enhancing overall network cyber threat detection technology."

News about data breaches has become somewhat routine, but Ikea's exposure makes this situation a bit different. It highlights the role third-party risk management needs to play in the mergers-and-acquisition process, said Fred Kneip, CEO of CyberGRX, in an email to Retail Dive.

"When Ikea acquired TaskRabbit last year, the company knew that it was adding a valuable and complementary service to its core business," Kneip said. "What Ikea may not have known is that it increased its attack surface with an enormous expansion of the company's digital ecosystem. Cybersecurity risk exposure needs to be at the forefront of all M&A activity. While we don't know what type of cyber due diligence Ikea performed on TaskRabbit, we know it's an important piece of the M&A puzzle. Acquiring a company doesn't just mean you're buying its assets, but also the risk exposure from the target company."