[tomp]

> there's no distinction between an en masse data leak and someone being able to access your personal info without authority under GDPR. Both are a data breech. It seems like many people have been affected by this too so clearly Deliveroo doesn't have the mechanisms in place to protect user information. The fact unauthorized people can spend your money through Deliveroo is even worse

Well, the distionction can be as easy as someone hacking the company vs. guessing your password. What is the company to do to protect against the latter?! After all, the password is the authorisation, so I would even claim it's not unauthorised access...

[snowwolf]

There are many things they could do. For starters they could verify (email, 2 factor, something) unusual sign ins - for example sign ins from a new IP, especially if that IP has a higher risk profile (data center, known vpn, tor exit nodes, different registered country, etc.), or sign ins from a new device.

[jwdunne]

That'd be a valid excuse if you're not safeguarding personal and sensitive data. But is that the most you can do to protect the addresses and some level of access to somebody's money?