[BreachExchange] Instacart discloses security incident caused by two contractors

Destry Winant destry at riskbasedsecurity.com
Mon Aug 24 10:29:43 EDT 2020


https://www.zdnet.com/article/instacart-discloses-security-incident-caused-by-two-contractors/

Grocery delivery and pick-up service Instacart disclosed a security
incident caused by two employees working for a company providing tech
support services for Instacart shoppers.

According to a press release published today, Instacart says the two
employees "may have reviewed more shopper profiles than was necessary
in their roles as support agents."

The company is now notifying 2,180 shoppers via email about the
incident. The figure represents the Instacart user profiles the
company believes the two employees might have needlessly accessed
while working as tech support agents.

Breach discovered following a routine audit

Instacart said it learned of the breach in procedure of the two
support agents following a routine security audit.

The grocery delivery service said a subsequent forensic investigation
did not find any evidence the two support agents had downloaded or
digitally copied data from its systems.

Nonetheless, Instacart said that it took drastic measures when it came
to dealing with the support agents and the company that hired them.

"First, we immediately worked with our third-party support vendor to
ensure that their two employees will never work on behalf of Instacart
again," Instacart said today.

"Second, we suspended work at this third-party support location and
have since ceased local operations indefinitely."

Second security incident this year

This is the second security incident that Instacart had to deal with
this summer. In July, hackers put up for sale the details of 278,531
Instacart accounts on a dark web marketplace.

The sold data included names, delivery addresses, the last four digits
of credit card numbers, and order histories, according to Buzzfeed.

Instacart acknowledged the incident two days later, in a press
release, and blamed it on a credential stuffing attack, accusing users
of reusing passwords across online accounts.


More information about the BreachExchange mailing list