It’s the first major data breach of the holiday season. DoorDash has confirmed a security breach in which hackers stole the personal information of users, Dashers, and merchants.
The stolen info includes names, phone numbers, physical addresses, and email addresses. Social Security numbers and credit card information were not stolen, the company said. DoorDash has not revealed the number of users impacted but said “there was no indication that the data has been misused for fraud or identity theft at this time.”
DoorDash (DASH) admitted that an employee was duped in a “social engineering scam,” which is all-inclusive fraud lingo that could encompass email phishing, malware, text messaging, or virtually any other method to induce a victim to disclose private information.
DoorDash said it hired an external firm and contacted law enforcement to assist with the investigation. Affected users have been notified, “where required,” DoorDash said.
The DoorDash breach may not be an ‘urgent’ breach, but it can be combined with other stolen data
Michael Bruemmer, vice president of Global Data Breach Resolution at Experian, the credit services and analytics company, said that if a breach is limited to your name and contact information — as DoorDash claims — it may be a “lower level” breach and the damage may initially seem to be minimal, but there is more at risk.
He told Yahoo Finance that with AI, it’s faster and easier to assimilate large datasets.
“Losing your name, your address, maybe account information, maybe even an additional PIN — all of these pieces can be taken from different events. So DoorDash may be one thing, but if they got Social Security numbers and driver’s licenses from somewhere else and match that address, they could put together what we call a synthetic ID,” Bruemmer said.
A synthetic ID can be used to open new accounts or even apply for government services, he added.
What to do if you’ve been notified of a breach
Bruemmer said it’s important to take basic steps to protect yourself from possible fraud. Many credit and security companies, including Experian, offer free, continuous credit report monitoring. This will enable you to promptly report any unusual activity, which may help limit your liability.
In some cases, you are only responsible for up to $50 out of pocket for fraud reported within two business days. You could lose up to $500 if you wait longer. Past 60 days, you might not be able to recoup any fraudulent losses.
Even in a low-level breach, such as the DoorDash event, Bruemmer said, “It’s really good to know if they’ve been compromised because then you can make sure, ‘Oh, hey, do I have my credit file frozen at all three bureaus? Have I taken advantage of the free identity theft protection offer if it’s given during a breach? Or have I checked my bank account or checked for any strange activity on my credit card statement?'”
The holiday season is ripe for scams
Experian research revealed some concerning statistics for holiday fraud, including:
-
Of Gen Z respondents, 15% would risk identity theft for a major Cyber Monday deal. Gen Z is the most willing demographic to “trade security for savings,” according to Experian.
-
Identity theft (68%) and stolen credit card data (61%) are the top concerns for consumers during the holiday season.
-
Top sources of fraud among victims:
-
26%: When using a credit card at a retail store
-
22%: While shopping online during the holiday season
-
16%: Stolen mail during the shopping season
-
-
Online shopping and mail theft are rising entry points for fraud.
-
Overall, 31% of consumers fear identity theft this holiday season.
One last line of defense Bruemmer recommends: real-time transaction alerts.
