DoorDash Confirms Data Breach After Employee Falls for Social Engineering Scam

Key Takeaways

• Breach Origin: DoorDash says the incident began when an employee was targeted in a social engineering scam that allowed an unauthorized third party to access internal systems.
• Data Exposed: The accessed information included users’ names, email addresses, phone numbers, and physical addresses.
• Sensitive Data Protected: DoorDash stated that no sensitive identifiers, such as Social Security numbers, government-issued IDs, driver’s license information, or bank or payment card details, were compromised.
• Company Response: DoorDash shut down the intrusion, notified law enforcement, began an investigation, rolled out new security enhancements, and launched additional employee training on social engineering threats.

Deep Dive

DoorDash has disclosed a data breach after a social engineering scam tricked one of its employees, allowing an unauthorized party to access user information across its platform. The company says the exposed data included names, email addresses, phone numbers, and physical addresses, though it declined to say how many people were affected.

In its notice, DoorDash stressed that the breach did not involve sensitive identifiers. “No sensitive information was accessed by the unauthorized third party and we have no indication the data has been misused for fraud or identity theft at this time,” the company said. That includes Social Security numbers, government-issued IDs, driver’s license details, and bank or payment card information—none of which were compromised, according to the company.

The breach impacted “a mix of customers, delivery workers, and merchants,” DoorDash confirmed. When pressed for the scope of the incident, spokesperson Michelle Babin did not provide numbers, instead repeating the company’s public statement.

DoorDash says it detected the intrusion, cut off the attackers’ access, opened an internal investigation, and notified law enforcement. The company attributed the incident to an employee who was targeted and deceived in a social engineering scam, a reminder of how often attackers bypass technical defenses by going directly after people.

As part of its response, DoorDash says it is rolling out security upgrades, expanding employee training on social engineering threats, and working with an external firm to support its investigation. The company has also notified those whose information was accessed and set up a dedicated call center for questions.

DoorDash apologized for the incident, saying it wants to “earn that trust every time you choose to use or partner with DoorDash.” The company’s support line is available to affected users in the U.S., Canada, and internationally.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.