[jwdunne]

If I recall, there's no distinction between an en masse data leak and someone being able to access your personal info without authority under GDPR. Both are a data breech. It seems like many people have been affected by this too so clearly Deliveroo doesn't have the mechanisms in place to protect user information. The fact unauthorized people can spend your money through Deliveroo is even worse.

Deliveroo are responsible for the data you give them. If they fuck up and allow unauthorized people access to that data, they're in breech of the GDPR.

If they haven't informed ICO (and equivalent in any country within GDPR rules) within 72 hours of each breech, they're in even deeper shit. First, they have to be clear about the scale of the breech and what exactly has gone wrong. They've got to be able to demonstrate the steps they've taken to mitigate the issue and prevent it happening in future. If people are complaining on a regular basis for months, they've not done that.

[vivan]

Do you have a source for that? If that is the case then pretty much every major website is in breach. Credential stuffing is rampant and very easy to do these days. It's not the website's fault that the user gave out their password.

However, I do agree that Deliveroo needs to do more to protect users against this. 2-factor authentication, email confirmation from a new IP, re-entry of card details when ordering to a new address are all simple ways to handle this. Deliveroo has not prioritised this because their main priority is growth.

[snowwolf]

In the UK, the ICO guidelines are

"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

The key part being "unauthorised disclosure of, or access to, personal data."

So does credential stuffing qualify - In my opinion yes, as it is unauthorised access to personal data.

They then go on to say "When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"

And again, the ability to place orders and deliver them to a new address charging the existing credit card I think qualifies as a severe and likely risk.

https://ico.org.uk/for-organisations/guide-to-data-protectio...

Edited to add: In the absence of any legal precedent I’d challenge you to find any lawyer who’d confidently say that credential stuffing definitely doesn’t meet the criteria.

[bertil]

That would be an interesting development. It means that either:

- is it illegal to not have 2FA; I’m not against that, but it feels… excessive;

- every website, including small irrelevant ones, with a password (like HN) needs to crawl the darker internet to check for leaked lists of email/passwords; that would make those unsavoury forums crawl with solution vendors; it would also make it illegal to not find the most obscure ones; in other words, a non-option;

- ban the use of any password listed on https://haveibeenpwned.com/Passwords which feels more manageable, but… does the service offer an API?

Which one feels the most likely to happen in the short term?

[snowwolf]

Remember part 2 of that section:

"establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"

So if it's a small irrelevant website, there isn't likely to be a high or severe risk to that "breach", so they should be ok.

In terms of options, I think there are more, mostly around sites getting more sophisticated at defending against credential stuffing attacks - treat logins as more suspicious if they are from a new device, new ip, use a password that you know is in a breach list (have i been pwned), etc. and put in place a 2nd factor like email confirmation of the login even if they haven't turned on 2FA. Or at least restrict access to sensitive parts of your site if the login was suspicious until you can verify it was an authentic login.

[mannykannot]

'So if it's a small irrelevant website, there isn't likely to be a high or severe risk to that "breach", so they should be ok.'

To be clear, no website, depending on passwords alone, can know if an access was authorized by the person who is the subject of the account. Therefore, it would seem that the only sites that can use password-only authentication without risk are those that hold no personal information about their customers. According to your own interpretation of the law, some of your proposed mitigations would not be sufficient to eliminate the risk, if any personal information is held.

[snowwolf]

>> According to your own interpretation of the law

Look, I am not a laywer, and I am happy for someone to correct me here, but this is the wording of the law:

"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

Is there anything in that sentence that means a successful credential stuffing attack would not fit the criteria?

[vivan]

So if someone hacks your email because you didn't have sufficient protections in place, does that make the email provider liable? Seems like an argument that falls apart very quickly.

[snowwolf]

Yes, exactly that if the email provider hasn’t put in place sufficient defences. Why wouldn’t they be liable? They have a duty of care under GDPR to protect your personal data. If they are negligent in that duty then absolutely they should be liable.

[vivan]

I'm not saying Deliveroo isn't in the wrong here - they absolutely should have more defenses, but I still think this argument makes little sense. What if they have the defences in place but you choose to disable them? Who is liable then? I personally have 2FA on my GMail, but plenty of people choose not to - is it Google's fault for not forcing it on them?

[snowwolf]

You’re forgetting something. This isn’t my argument. This is what GDPR states. Unauthorised access to personal data constitutes a data breach. Does someone accessing your personal data who is not you using a stolen password count as unauthorised? Yes.

It will ultimately come down to a test case, but as I said before, you will be hard pressed to find a lawyer who would tell a company that they definitely won’t be liable.

[snowwolf]

I'm not sure why this is being downvoted. All I am doing is pointing out what the current law is under GDPR. You may not agree with the law, but that doesn't change what it says.

[tomp]

> there's no distinction between an en masse data leak and someone being able to access your personal info without authority under GDPR. Both are a data breech. It seems like many people have been affected by this too so clearly Deliveroo doesn't have the mechanisms in place to protect user information. The fact unauthorized people can spend your money through Deliveroo is even worse

Well, the distionction can be as easy as someone hacking the company vs. guessing your password. What is the company to do to protect against the latter?! After all, the password is the authorisation, so I would even claim it's not unauthorised access...

[snowwolf]

There are many things they could do. For starters they could verify (email, 2 factor, something) unusual sign ins - for example sign ins from a new IP, especially if that IP has a higher risk profile (data center, known vpn, tor exit nodes, different registered country, etc.), or sign ins from a new device.

[jwdunne]

That'd be a valid excuse if you're not safeguarding personal and sensitive data. But is that the most you can do to protect the addresses and some level of access to somebody's money?