[EthanV2]

By the sounds of it this is a simple credential reuse attack (it's even states as such in the article) so I really don't see where these accusations of a "data breach", and "encryption, which appears not to have been in place” come from. If these fraudulent transactions are the result of credential reuse I really don't see the GDPR violation here.

[maaaats]

Yeah, not to defend Deliveroo (that's still abhorrent customer service), but I fail to see how they can back up the allegations of the various breaches. How do they know encryption was not in place?

[mgoetzke]

Don't see it either. Nobody said there was an actual breach. Of course a change of delivery address/email/phone or when combined with unusual orders (large amounts) should be flagged and cause 2FA or some other mechanism to request confirmation to the account holder of record.

[mcintyre1994]

It sounds like this could be trivially fixed by requiring re-entering payment details if you order to a new address, like Amazon and others do.