Recently Instacart, a grocery pick up and delivery service, disclosed a data breach that involved unauthorized access on customer accounts. Sounds like an Insta-issue to me…


Instacart – A Grocery Delivery Company

Welcome back readers for the 27th installment of the cyber attack of the week series. Today, we are reviewing a recent attack on Instacart. 

Now, for those wondering just what Instacart is, allow me to explain. Instacart is “an American company that operates a grocery delivery and pick-up service in the United States and Canada with headquarters in San Francisco.” (Via Wikipedia).

The service works as an application that allows customers to place their grocery order through their app and have an Instacart employee shop and deliver the order. 

Further, this service is utilized by many and especially during the COVID-19 pandemic. Having the ability to avoid the grocery store and public places right now is a step in protecting your family from COVID-19.

Continuing on, this company recently disclosed that they experienced a cyber security issue of sorts. Now, let’s dive into the attack.


Instacart or Insta-issue?

To begin, Instacart released a statement regarding the issue on August 20th, 2020. The statement begins by acknowledging that the issue came to light during a routine review of support protocols. 

This then led to the discovery that employees of a third-party company in use by Instacart may be the culprits.


As part of our ongoing review of support protocols, we’ve determined that two employees retained by a third-party support vendor we work with may have reviewed more shopper profiles than was necessary in their roles as support agents. Upon discovering this inconsistency, we immediately retained a leading forensic analysis firm to promptly investigate the matter.


Further in their statement, the company says that the individuals may have had access to “names, email addresses, telephone numbers, driver’s license numbers, and a thumbnail image of the driver’s license.”

Following the recognition of the customer information that may be at risk, Instacart states that, “no shopper data was stored, downloaded or digitally copied in any way.”


What Will They Do Now?

Continuing on, many customers and spectators may be wondering what the next steps for Instacart are. The company remains firm on their stance of having a, “zero tolerance for anyone who abuses their role and that extends to our third-party vendors.”

Instacart took action with the third-party vendor to ensure the individuals at fault will not work with Instacart again. Plus, they also suspended work with that specific third-party vendor.  

The company continues to say that those possibly affected or in contact with the two individuals are now aware of their actions.

Further, for customers, Instacart will be implementing shopper support and two-factor authentication for shopper logins. 

To view the entire extent of the enhanced security plan, please click here to view the full company statement. 

Overall, I believe that the company put together a well written response and plan regarding the issue. Although the severity scale of this cyber attack is low, it is still not something a company wants to face.

But, I think that with further security implementations and monitoring, Instacart is on their way to recovery. 


By Taylor Ritchey