Full Report
In a statement published on Monday evening, the company said it recently identified a security incident that “originated with an account belonging to a third-party service provider that provided support services to Grubhub.”
Analysis Summary
# Incident Report: Grubhub Third-Party Vendor Compromise
## Executive Summary
Grubhub recently experienced a security incident where an attacker gained unauthorized access via an account belonging to a third-party service provider supporting the Grubhub Support Team. This resulted in the theft of customer contact information, partial payment card data (card types and last four digits), and hashed passwords for some legacy systems. Grubhub contained the incident by immediately terminating the vendor account and removing the provider from their systems, though the full scope and number of affected individuals remain undisclosed.
## Incident Details
- **Discovery Date:** Not explicitly stated, but referred to as "recently identified."
- **Incident Date:** Not explicitly stated ("recently identified").
- **Affected Organization:** Grubhub
- **Sector:** Food Delivery / E-commerce
- **Geography:** Likely U.S. based, given service location.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified.
- **Vector:** Unauthorized access to an account belonging to a third-party service provider supporting the Support Team.
- **Details:** The entry point was a compromised or misused account of a vendor providing support services.
### Lateral Movement
- **Details:** The information accessed suggests the compromise involved systems handling customer care interactions. Details on internal lateral movement within Grubhub's network beyond the vendor access point are not provided.
### Data Exfiltration/Impact
- **Details:** Exfiltrated data included:
* Contact information for campus diners, general diners, merchants, and drivers who interacted with customer care.
* Last four digits of payment card numbers and card types for some customers.
* Hashed passwords for certain legacy Grubhub systems.
### Detection & Response
- **Detection:** Grubhub detected "unusual activity within [their] environment traced to a third-party service provider."
- **Response Actions:**
1. Promptly launched an investigation.
2. Immediately terminated the compromised account's access.
3. Removed the service provider entirely from Grubhub systems.
4. Worked with external experts for investigation.
5. Rotated any passwords that may have been leaked.
## Attack Methodology
- **Initial Access:** Compromise of a third-party vendor support account.
- **Persistence:** Not detailed, though access was maintained long enough to confirm data exfiltration.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Theft of hashed passwords for *legacy systems* via the access point.
- **Discovery:** Unknown, though accessing customer care records implies some level of system awareness.
- **Lateral Movement:** Movement into systems holding customer interaction data.
- **Collection:** Gathering contact information, partial payment details, and legacy password hashes.
- **Exfiltration:** Transfer of collected data off the network.
- **Impact:** Financial (partial PII/payment data exposure) and Privacy (loss of customer records).
## Impact Assessment
- **Financial:** Not disclosed, though the incident occurred shortly after Grubhub settled a $25M penalty with the FTC for prior issues.
- **Data Breach:** Customer PII (names, emails, phone numbers), last four digits of card numbers, card types, and hashed legacy passwords.
- **Operational:** No mention of significant operational disruption, though response required immediate vendor termination.
- **Reputational:** Company issued a public statement acknowledging the breach.
## Indicators of Compromise
- **Network indicators:** None provided (URLs/IPs defanged automatically).
- **File indicators:** None provided.
- **Behavioral indicators:** Unusual activity traced to a third-party support account environment.
## Response Actions
- **Containment measures:** Immediate termination of the third-party service provider's account access; complete removal of the service provider from systems.
- **Eradication steps:** Not detailed beyond account termination.
- **Recovery actions:** Rotation of potentially leaked passwords; confidence expressed that the incident is fully contained.
## Lessons Learned
- Reliance on third-party vendor access poses a significant risk vector if controls are insufficient (Nth-party risk).
- Insufficient security controls allowed the unauthorized individual to move from the vendor account into systems containing sensitive customer data.
- The company needs clearer communication regarding the scope (number of victims, specific dates) of security incidents.
## Recommendations
- Immediately review and enhance the security vetting, monitoring, and access controls for *all* third-party vendors, especially those accessing customer-facing systems.
- Implement enhanced multi-factor authentication and strict least-privilege access policies for all privileged vendor accounts.
- Conduct a comprehensive audit of legacy systems whose hashed passwords were stolen to ensure password rotation policies are exhaustive and robustly hashed.
- Establish clear internal protocols for expedited public disclosure immediately following confirmed unauthorized access.