Deliveroo accounts hacked: Industry reaction and analysis

A perfect example of the "domino effect" that data breaches can have.

Industry professionals have responded to the news that Deliveroo customers have had their accounts hacked and food charged to their accounts without their knowledge through passwords stolen during previous data breaches.

Kevin Cunningham, founder and president of SailPoint:

“This illustrates an interesting ‘chaining’ or ‘domino effect’ that data breaches can have across multiple organisations. Identity has become the new attack vector and hackers are all over that fact – finding those orphaned accounts to grab and log into behind the scenes without an IT admin even knowing about it. Or, taking stolen credentials from one breach and using them to access another website. All because a user chose to reuse a password across multiple sites – a very common occurrence.

“Often, it comes down to password hygiene as the starting point to stronger and smarter access management. Use a unique password for every application. Make sure the password is long and more complex – ideally twelve characters should be thought of as a minimum. Protecting identity is key: to the safety of our own personal data, to the security of sensitive company data and files, and, to the safety of sensitive data in an organisation that may not even be linked to your own.”

James Romer Chief Security Architect EMEA at SecureAuth Corporation:

“This is a perfect example of why people need to be using different password / username credentials for different sites. Using the same combination is the equivalent of a skeleton key to your online life. It makes it too easy for bad actors to gain entry to more and more information. This is of monumental importance, particularly on sites like Deliveroo where customers save their card details for convenience, leaving them left with holes in their bank accounts too. 

"This laid-back consumer attitude is no longer acceptable and companies also need to be doing more to add extra layers of authentication to log in processes, which don’t have to impact the user. Multi-factor, adaptive authentication, renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts. This also removes the hoops to purchase without impacting the user experience.”

Phil Allen, VP EMEA at Ping Identity:

"The latest high profile data-breaches experienced by Deliveroo and Three Mobile further highlights why the identity and security of customers needs to be taken much more seriously by organisations. Consumers are increasingly becoming targets for many sophisticated hackers through the brands they choose to do business with. The damage inflicted could be limited if high-profile brands invested more in methods such as two-factor and multi-factor authentication to safeguard data and dramatically improve the experience of their customers.

"Best practice is now focused on improving the way customers can manage their identity with a consistent secure experience during their online activity. Additional layers of security don’t have to mean extra form-filling for the consumer if it’s seamlessly integrated into the buying process. Businesses may win out in the short-run, but if they want to maintain their reputation and customer loyalty long-term, investment in greater identity security for their customers is critical.”

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:

“Companies should be forcing users to practice good security habits, as it’s the only way people will create and keep secure passwords. You see this today with tighter password policies. Needing at least one lowercase, one upper case, one number and one special character is great, but we should also be forced to change our passwords on a regular basis. That way, if a person’s password is compromised and they use it on multiple sites, they will soon be asked to update it, thereby lessening the window of exposure.

"We now also have two factor authentication that texts, emails or calls you to prove your identity. These are all controls to force users to have better password habits and therefore protect themselves from cybercrime. It’s difficult to make the average user accountable when the websites they are using can easily enforce tighter security controls, and should.”

Paul Lyden, VP Northern Europe at Barracuda Networks:

“The ripple effect caused by a data breach will likely impact more than just the original target. It could impact the target’s broader business ecosystem ­and that means that these companies have an equal duty of care to ensure their security posture remains solid. The Deliveroo incident is a perfect example of this in action. It doesn’t matter how strong your security defences are, if your attackers come to the door armed with a key, there’s not much you can do to stop them getting in.

"The problem is, for the average person, really secure, unique passwords are too difficult to remember and so password re-use is inevitable. Organisations must work together to secure mutual customers and put in place measures to force individuals to use a unique password for their site.”

Image source: Shutterstock/Laura Hutton