Dive Brief:
- Instacart has disclosed a security incident in which two employees of a third-party vendor reviewed more shopper profiles than necessary for their work in tech support, according to a company blog post. Instacart discovered the breach during a routine audit.
- Instacart's investigation found the information viewed by these individuals may have included names, email addresses, phone and driver's license numbers. None of the data was downloaded or digitally copied, and no customer information or profiles were accessed in the incident.
- About 2,180 Instacart shoppers came into contact with the vendor's agents, and Instacart has offered all of them two years of free credit monitoring as a precautionary measure. The company has suspended work at the third-party location for the time being.
Dive Insight:
Instacart's second security issue this year reveals the downsides to an industry growing more reliant on e-commerce.
The current incident has prompted the grocery delivery service to add additional security procedures for its shoppers, who already have extensive authentication measures in place. It first will add a new support process dedicated to shoppers who think they may be impacted by the incident or anyone who has questions about security and their account. In the coming months, Instacart will also expand the use of two-factor authentication to more features within the shopper app.
This follows another round of new security measures that Instacart recently added for shoppers, including random shopper ID verification, automatic logouts and more secure logins. Instacart has also banned device switching so shoppers can't swap devices in the middle of an order.
This past July hackers put up for sale information on more than 278,000 Instacart accounts on the dark web. Names, delivery addresses and the last four digits of users' credit cards were compromised, but Instacart said its actual platform was not compromised or breached. It has since notified customers and invalidated their own passwords, asking them to set new ones. The company said it cannot control attackers that may target individuals outside of its platform using phishing or credential stuffing techniques. It happens more frequently when someone uses the same information to log in across different websites and apps.
Customer data is increasingly vulnerable as more people buy online and use different grocery services. In May, Kroger's Home Chef meal service experienced a data security breach that exposed customer names, emails and passwords. Last year, Hy-Vee experienced a major incident that compromised customers' credit card information.