In May 2021, someone hacked the Spanish subsidiary of the company delivery Glovo, accessing an old platform administration panel and using it to extract data owned by the company. Days later, the 480 GB of personal data contained in the leaked database was Posted for sale on a Dark Web forum. Now, a year and a half later, history repeats itself.
And it is that, If you are a Glovo Spain customer, employee or delivery person, we have bad news for you: Your private data is made available again to the highest bidder on the Dark Web. A user named ‘k4fk4’, recently registered on Breach Forums —the successor forum to the popular Raid Forums after its closure by the FBI— published last Saturday a post in which he provided graphic evidence that he has the database in his possession of the company, and encouraged to contact him to acquire it:
“Important: This is an exclusive database. I will only sell it once.”
This exclusive sale means, in the normal dynamics of this type of illegal market, that the price will be higher… and the fact that it has not set a reference price, means that will end up in the hands of whoever makes the biggest offer for this database.
What happened has already been reported to the Spanish Data Protection Agency, a body that Glovo was already fined two years ago… precisely for not having a Data Protection Officer:
🔴📣 Before the news this morning, we just 🗣 #apply for to the Data Protection Agency – @AEPD_esthrough a #complaintthat #INVESTIGATE the security breach @Glovo_ES 🍔🍕🥗
📌 Information leaked from 5,790,564 orders. 👉🏻IBAN, address, email, phone.. pic.twitter.com/lA2fkCNJaV
– Gonzalo Oliver (@oliver_martin22) August 3, 2022
McDonald’s, also affected by association
But what exactly would the ultimate owner of this information be buying? According to ‘k4fk4’, would include data on 5,790,564 customer orders, 21,379 employee data, and 37,509 couriers: full names, NIF, dates of birth, telephone numbers, postal and email addresses and even bank details (IBAN).
In the case of orders, it is possible to access information about who placed the order, who took it, from which location it was shipped, what was included and how long it took to be delivered.
Also, unexpectedly, the database also has 3,854 McDonald’s incident report records. This is explained because McDonald’s maintains an exclusivity agreement with Glovo for home deliveries, so it is this company that manages this incident system that includes all kinds of information on the reason for claims, solutions proposed to the customer, products involved, etc. .