The food-delivery service DoorDash announced Thursday that a security breach exposed the personal data of about 4.9 million customers, merchants, and delivery workers.
The information that was accessed could include driver’s license numbers of approximately 100,000 of its delivery workers, the San Francisco-based company said in a statement. Other data accessed may include “names, email addresses, delivery addresses, order history, phone numbers,” the company said.
The last four digits of some consumer payment cards may been exposed too, but didn’t include enough data to make fraudulent charges, according to the statement. The last four digits of bank account numbers for delivery workers and merchants may have been accessed, but the company said it wasn’t enough information to make fraudulent withdrawals.
DoorDash said it has taken additional steps to protect data stored on its systems.
The company said the breach was limited to customers, merchants and delivery workers who joined the company’s platform on or before April 5, 2018.
DoorDash said it became aware of the breach earlier this month, and determined “an unauthorized third party accessed some DoorDash user data,” on May 4.
A DoorDash spokeswoman said the breach involves a third-party service provider, and that an investigation is ongoing.