It was initially reported that the sensitive data on almost 2000 Instacart shoppers may have been exposed to third-party contractors who were providing IT and Security support. However, as information has come to light, Instacart has revealed that no customer information or profiles were accessed or impacted.
Instacart released a press release which states the two employees from a third-party contractor “may have reviewed more shopper profiles than was necessary in their roles as support agents.”
It is believed once Instacart had uncovered the intrusion the retailer had contacted a forensic analysis firm to investigate. It stated no shopper data was stored, downloaded or digitally copied in any way and no customer information or profiles were accessed or affected.
Instacart has since stated: “During a recent review of support protocols, we determined that two employees retained by one of our third-party support vendors may have viewed more shopper profile information than was necessary in their roles as support agents. We’ve concluded that no shopper data was stored, downloaded or digitally copied in any way, and no customer information or profiles were accessed or impacted. That said, we have zero tolerance for anyone who abuses their role and that extends to our third-party vendors. As a result, we worked with this third-party support vendor to ensure their two employees never work on behalf of Instacart again, and have since ceased local operations with this vendor indefinitely.”
The following cybersecurity experts had their say on the incident:
Keith Geraghty, solutions architect at Edgescan:
“Looking at countries that log these breaches with great care, we cannot see the insider breaches where individuals access data to which they have permission to do so, however, without business justification is relatively common. Cases can be seen by police, in medical care and more. The interesting part is that this is generally only detected where there are strict requirements for logging and auditing, there is no reason to suspect that police or medical care, or in this case support workers, are more inclined to such breaches, but rather that if you look for deviations, you shall find deviations. This speaks nicely in favor of a good practice of logging and auditing where the breach occurred.”