Serviceteam IT Security News

Instacart has reported a security incident in which two employees working for a third party vendor accessed its customers’ personal information. The company noted these individuals “reviewed more shopper profiles than was necessary in their roles as support agents.”

Information potentially viewed includes customer names, email addresses, telephone numbers, driver’s license numbers and thumbnail images of the driver’s licenses.

The grocery delivery and pick-up firm said that following a thorough investigation, conducted with a forensic analysis company, it has concluded that “no shopper data was stored, downloaded or digitally copied in any way.”

Instacart has since emailed the 2180 shoppers affected to notify them of the incident and the preventative measures taken. It is also offering two years of free credit monitoring and protection to these shoppers.

The company added that it has worked with the third party to ensure the two employees never work on behalf of Instacart again and has also suspended work at the particular third party support location.

For those shoppers who believe they have been impacted by the incident, Instacart said it is introducing a new dedicated shopper support process, and to help prevent such incidents occurring in the future, it is adding two-factor authentication to more aspects of the Shopper app.

Commenting on Instacart’s statement, Keith Geraghty, solutions architect at Edgescan, said: “You can conduct all the vetting in the world of your employees, but it is not a sure fire way to protect yourself from these type of issues. What will help is good compliance standards. In technical terms, that means enforcing least privilege, keeping and reviewing logs and having the correct security awareness training for all staff.

“It is not clear whether any malicious intent was involved, so we are yet to find out if the action taken was on the strong side. You cannot leave the door wide open and expect that everyone will pass by and not take a peek in.”

Martin Jartelius, CSO, Outpost24, commented: “Looking at countries that log these breaches with great care, we cannot see the insider breaches where individuals access data to which they have permission to do so, however, without business justification is relatively common. Cases can be seen by police, in medical care and more.

“The interesting part is that this is generally only detected where there are strict requirements for logging and auditing, there is no reason to suspect that police or medical care, or in this case support workers, are more inclined to such breaches, but rather that if you look for deviations, you shall find deviations. This speaks nicely in favor of a good practice of logging and auditing where the breach occurred.”

Organizations’ increasingly work with third party vendors, who often hold their data or access their network, and this is adding to the risk of security incidents occurring.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!