On Friday morning, I woke up late, rushed to the tube, tapped in with Apple Pay, only to discover a few minutes later that my payment had been declined because I had insufficient funds. Figuring, “Well, it’s January”, I went to check my bank balance.
But rather than seeing an overspend or a direct debit I’d forgotten about, I saw three enormous charges from the food delivery service Deliveroo from the night before. They weren’t mine.
I immediately called Deliveroo to say that it wasn’t, in fact, me who ordered £100 worth of food in the space of ten minutes in three separate orders; and told them that the fraudsters had changed my email address, so I couldn’t even get into my account to look at where it was sent. I was told that they would investigate, and I would be sent an email asking for more information immediately.
I was not. After an hour, I rang again, to find that actually the email had been sent to the new email address – the one the fraudsters plugged in – so that they had presumably been alerted to the investigation. I complained, got the email re-sent to me, and was then met by radio silence for the rest of the day. When I eventually rang again, the company said it couldn’t actually tell me whether or not I would get my money back, adding that I might not hear from them for nearly a week before they let me know either way.
By 5pm, I was getting fed up, so I did what any journalist with a modest Twitter following would do, and tweeted. What I thought would happen was that my case would be bumped on the list, and maybe I’d get my money back sooner (or, indeed, at all). What actually happened was that my replies, DMs and email were all immediately flooded with people who had been a victim of the same fraud, saying, yes, this had happened to them too and no, Deliveroo had never refunded them. Of the roughly 40 people I spoke to, not a single one had been refunded by the delivery service; those who did get their money back had got it from their bank. The people tweeting the account claimed to have experienced fraud ranging from the low hundreds of pounds, like my case, to, in some cases, thousands. One person tweeted me to say that a friend of his was fraudulently charged £3,500 on his account. “Deliveroo offered him a £40 credit as a gesture.”
More shockingly, nearly half of these people told me that their cases were still technically “under investigation” by Deliveroo, some for over two months. Most of those who had been waiting for more than a week to hear about their case told me Deliveroo had simply stopped responding to their calls.
(Later – a lot later – a Deliveroo spokesman would tell me it was likely I had been the victim of a “credential stuffing” attack, in which hackers obtain lists of usernames and passwords and try them out on other platforms.)
This problem is not actually new. In 2016, the Telegraph ran an expose of rampant fraud on the food-delivery service, and reported on customers’ shock at Deliveroo’s poor handling of the situation. The same day, a BBC Watchdog programme did a feature on Deliveroo fraud, in which Deliveroo claimed that “instances of fraud on our system are rare”.
But dating back several years, Deliveroo’s customer service Twitter account, @DeliverooHelp, has responded to claims of fraud nearly every day – often, in recent months, multiple times a day. They may represent only a small percentage of Deliveroo’s wider customer base, but it’s not at all obvious this is “rare”.
However, help for customers – and fines for the delivery service – could be coming from Brussels. Laura Irvine, a regulatory lawyer and Partner at Davidson Chalmers, tells me that Deliveroo may have breached the GDPR regulations introduced last year on multiple counts.
The General Data Protection Regulation (GDPR), which became European law on 25 May 2018, made sweeping changes to data protection rules across the EU: now, companies are more liable for protecting the data they hold on customers than ever before.
Irvine tells me that Deliveroo appears to have breached these regulations three times over. The sixth principle of Article 5, for example, requires companies to have “appropriate security in place to keep your financial and other personal data secure”, she notes. The firm also appears to have breached Article 32, “which provides more detail about what is expected in terms of data security – namely encryption, which appears not to have been in place”.
Lastly, there’s Article 34, which requires the “data controller” – that’s Deliveroo – to tell “anyone who may be affected by a data breach about it without undue delay. This applies when the breach is likely to result in a high risk of an impact on the individual. Getting your bank account emptied would, I suggest, meet that threshold.”
So what fines could Deliveroo face, if it were to be found guilty of these data breaches? “It could be millions of pounds,” Irvine says.
She emphasised that this is a big “could” – the millions of pounds they could be fined would be the upper end of the spectrum. But it is entirely possible, especially given the criticism the Information Commissioner’s Office (ICO) has faced for the small size of its fines in the past. “They were criticised for the small fine imposed on Facebook – £500,000 which was the maximum under the old law,” she tells me. “So I think they will want to use their powers. And they need to keep up with the other regulators,” she adds, noting that Google recently faced a €50m fine in France for breaching GDPR.
That said, there are some things that could spare Deliveroo from this fate: if, say, Deliveroo had told the ICO about the data breach within 72 hours, the threshold for fines would be lowered. But, Irvine says, the high volume of incidents and the reported response from Deliveroo suggest they aren’t informing the ICO of their data protection problems.
“They may blame other parties, but at the end of the day if you give them your data then they remain responsible – in most cases,” she says. “I am not sure how the bank would stop this.”
I put all this to Deliveroo. A spokesperson told me: “Deliveroo takes online security very seriously. Sadly fraudsters rely on the fact that people reuse the same passwords on multiple online services to try and gain entry to different accounts across the web.”
Ultimately, though, fines are not the only problems that security breaches of this sort pose to firms like Deliveroo. “Soon people will stop using companies based on how responsible they are with data,” she says. “Particularly financial data – but even your address being out there can be uncomfortable or dangerous for some people.” If she’s right, then this, for Deliveroo, could be just the beginning.
Midway through writing this story, I got my money back, by the way – and from Deliveroo itself. Other victims have not been so lucky.
Update: A Deliveroo spokesman has now been in touch with a more complete response, which we have agreed to publish in full:
“Deliveroo is a responsible technology company and as such takes data protection extremely seriously.
“Deliveroo adopts appropriate measures, including encryption and password hashing, to keep user data secure. We have a number of security measures in place to prevent fraudulent orders. Unfortunately, where a customer uses the same email and password on multiple internet platforms and suffers a breach elsewhere – as is the case of the author – fraudsters will seek to take advantage of this. We abide by our reporting commitments to regulators and inform and advise customers when we become aware of fraudulent activity on their account.
“The allegations made in this article in relation to GDPR are inaccurate and based on flawed assumptions. For the avoidance of doubt, no passwords have been compromised from the Deliveroo platform. We are disappointed that the New Statesman published these claims without putting them to Deliveroo first.”
Reporting for this story is ongoing. If you have any tips or if you have been affected by an incident like this, please email firstname.lastname@example.org with relevant information.