Instacart Reveals Third Party Employees Viewed Shopper Data

Instacart has reported a security incident in which two employees working for a third party vendor viewed shopper information. The company noted these individuals “reviewed more shopper profiles than was necessary in their roles as support agents.”

Information potentially viewed includes customer names, email addresses, telephone numbers, driver’s license numbers and thumbnail images of the driver’s licenses.

The grocery delivery and pick-up firm said that following a thorough investigation, conducted with a forensic analysis company, it has concluded that “no shopper data was stored, downloaded or digitally copied in any way.”

Instacart has since emailed the 2180 shoppers affected to notify them of the incident and the preventative measures taken. It is also offering two years of free credit monitoring and protection to these shoppers.

The company added that it has worked with the third party to ensure the two employees never work on behalf of Instacart again and has also suspended work at the particular third party support location.

For those shoppers who believe they have been impacted by the incident, Instacart said it is introducing a new dedicated shopper support process, and to help prevent such incidents occurring in the future, it is adding two-factor authentication to more aspects of the Shopper app.

Commenting on Instacart's statement, Keith Geraghty, solutions architect at Edgescan, said: “You can conduct all the vetting in the world of your employees, but it is not a sure fire way to protect yourself from these type of issues. What will help is good compliance standards. In technical terms, that means enforcing least privilege, keeping and reviewing logs and having the correct security awareness training for all staff.

“It is not clear whether any malicious intent was involved, so we are yet to find out if the action taken was on the strong side. You cannot leave the door wide open and expect that everyone will pass by and not take a peek in.”

Martin Jartelius, CSO, Outpost24, commented: “Looking at countries that log these breaches with great care, we cannot see the insider breaches where individuals access data to which they have permission to do so, however, without business justification is relatively common. Cases can be seen by police, in medical care and more.

“The interesting part is that this is generally only detected where there are strict requirements for logging and auditing, there is no reason to suspect that police or medical care, or in this case support workers, are more inclined to such breaches, but rather that if you look for deviations, you shall find deviations. This speaks nicely in favor of a good practice of logging and auditing where the breach occurred.”

Organizations’ increasingly work with third party vendors, who often hold their data or access their network, and this is adding to the risk of security incidents occurring.

What’s Hot on Infosecurity Magazine?