Dive Brief:

• DoorDash confirmed in a blog post Thursday that it suffered a data breach on May 4 that affected 4.9 million customers, delivery workers and merchants. 
• Spokesperson Mattie Magdovitz told TechCrunch that an unauthorized third-party gained access to this data and that DoorDash launched an investigation and brought in outside security experts to assess the situation. 
• According to TechCrunch, users had their name, email and delivery addresses, order history, phone numbers and passwords stolen. The last-four digits of consumers' payment cards were also stolen, while about 100,000 delivery employees had their driver's license information stolen. 

Dive Insight:

The restaurant space is particularly vulnerable to hackers, and the cyber target becomes even bigger when considering restaurants' increasing dependence on third-party services, like delivery aggregates and reservation apps. These partners create an additional entry point for hackers to access customer data. 

In fact, breaches are up significantly as retailers move toward digital commerce with the help of third-party vendors. According to Tech Republic, there have been more than 3,800 breaches thus far in 2019, over a 50% uptick over the past four years. 

DoorDash likely has a long road to recovery. Data breaches aren't cheap, financially or reputationally. It costs about an average of $148 per compromised record for a company recovering from a breach, or $3.92 million on average, according to IBM. That's not even counting the costs stemming from potential lawsuits, which could arise since it took nearly five months to inform customers of the breach. Wendy's, for example, settled a data breach lawsuit for $50 million in February.

It's also hard to put a price tag on the reputational damage from eroding consumers' trust. According to a study by KPMG, 19% of customers said they would stop visiting a brand if a breach occurred, and 33% said they would take a break from the company for an extended period of time. 

DoorDash is hardly alone in navigating this issue. Earlier this year, EatStreet disclosed a security breach within its system that occurred from May 3 to 17, around the same time DoorDash was compromised. So while this type of third-party breach may turn some restaurants off of DoorDash, the risk is potentially as high with another vendor in the space. The bigger challenge for restaurants is to be more proactive and strategic with their security measures, and also mindful and stringent with their technology partners' programs.