DoorDash is alerting customers about a massive data breach that occurred back in May.

In all, the data of 4.9 million customers, drivers and merchants was exposed in the breach. There was a lot of information released, but aside driver’s license numbers for drivers; much of it was relatively low risk information. DoorDash listed the breached data in a blog post.

• Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.
• For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.
• For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed. The information accessed is not sufficient to make fraudulent withdrawals from your bank account.
• For approximately 100,000 Dashers, their driver’s license numbers were also accessed.

The breach happened sometime between April 5 and May 4 of 2019 when the company spotted the breach. The company blamed an “unauthorized third party,” but the name and the function of said party was not revealed by the company. Given the huge number of third parties that connect to these delivery networks, incidents like this are likely to grow, according to Kelly White, the CEO of cybersecurity firm RiskRecon.

“Breaches of company data due to security failures of their third-party providers are going to continue at an increasing rate until companies own up to doing the work necessary to effectively manage vendor risk,” said White. “Companies must verify the quality of their vendor cybersecurity through direct evidence, enabling them to gain the transparency necessary to understand their risk and hold their vendors to better cybersecurity performance.”

According to an IBM survey of cybersecurity incidents, the average time for retail and hospitality companies to alert customers is six and a half months, so at five months, DoorDash’s response is actually ahead of the curve. Proposed rules in California and the European Union’s General Data Protection Regulation (GDPR) legislation require would require notification within 72 hours. DoorDash also skirted under the radar of recent New York cybersecurity rules that apply to financial services.

That said, it could still damage the trust of consumers and may cost plenty to fix, prevent the next issue and potentially lead to the company being sued.

According to IBM, the average cost of a breach in the hospitality sector is $120 per capita. But given that not a lot of very sensitive data like social security numbers or full bank records, DoorDash is unlikely to see at $500 million hit from this. The grand average for all breaches is closer to $3.8 million when adding in lawsuits, security updates and everything that goes into further prevention, communication and loss of business.

The loss of driver’s license details for Dashers and even the partial bank data, however, leaves customers open to identity theft, according to Ray Walsh, a privacy advocate at the firm ProPrivacy.

“The diverse assortment of data that has been stolen could easily allow hackers to engage in identity theft and might result in DoorDash customers being targeted by spear-phishing campaigns designed to pry more data from them,” said Walsh. “DoorDash has admitted that the last four digits of some customers’ card details have been exposed, meaning that hackers could attempt to trick users into providing the rest of their details using sophisticated phishing attempts.”

According to DoorDash customers who have been affected are currently being notified and asked update their passwords.

Read more about the breach, the follow up and a FAQ from DoorDash on the company’s blog.