
Deliveroo users are getting defrauded - danso
https://www.newstatesman.com/science-tech/security/2019/01/deliveroo-users-are-getting-defrauded-and-it-could-be-fined-millions
======
entity345
Perhaps worth mentioning, since it's nowhere in the article, that the first
thing to do is not to spend hours on the phone with Deliveroo (or whoever
else) but to call your bank to report the transactions as fraudulent and to
block your card.

That will probably get you a refund quicker (the transactions will likely be
held until clarified) and will stop any further fraud.

As for Deliveroo's support team... Not very good in my experience, but that's
common. Their competitors are no better.

~~~
Waterluvian
This is basically the sole "feature" of credit cards I value. Any time I'm
buying something from somewhere that might act poorly, I use a credit card for
the free leverage I have in a disagreement.

Had an old phones screen repaired at a store inside a Walmart. They fixed it
but half the screen had no touch capability. They were highly resistant to
doing anything about it until I said I would just do a charge back. Tone
instantly changed.

~~~
giancarlostoro
I've started using privacy.com after I saw a post here on HN about it. It's
pretty nice. Basically you link up your bank account and they create debit
cards for any online vendors you use, and you can set limits, destroy cards
etc. I usually put monthly / transactional limits. Like with Uber Eats I know
I only spend x amount, if anybody tried to use my Uber Eats card for 100 USD
it would decline it. But also it locks itself to the vendor you choose, so it
can't be used elsewhere.

~~~
cabalamat
> I've started using privacy.com

Which is US only. Is there anything like it for the UK?

~~~
Sahhaese
UK banks are already very good about refunding fraudulent transactions and
associated fees:

[https://www.fca.org.uk/consumers/unauthorised-payments-
accou...](https://www.fca.org.uk/consumers/unauthorised-payments-account)

"In most cases the bank must refund the payment without undue delay and by the
end of the business day following the day on which it became aware of the
problem, unless it has reasonable grounds for suspecting that you have acted
fraudulently."

"When your bank refunds an unauthorised payment it must also refund any
charges and interest you have paid because of the unauthorised transaction."

~~~
kennethp
I would be very careful on this one.

Some providers are interestingly stubborn when it comes to charge backs and
can hold on to the (fraudulent) vendors side even if you're clearly right.

Monzo in the UK is a prime example for that. An internet vendor charged me
more than he should and refused to void the transaction (basically text-book
fraud) and I filled for a charge back with monzo. I was extremely confident
that it wouldn't take much however monzo customer service resisted to help.

The monetary value wasn't much however in the end I perfectly understood that
this "protection" does not exist on the credit card issuer/bank side of
things.

Be careful.

~~~
matthewmacleod
You didn’t file for a chargeback with Monzo, because they don’t offer credit
cards. There’s less protection generally with debit cards.

Generally guidance is that you are entitled to a refund from the bank only if
you did not authorise a particular transaction.

~~~
kennethp
Does it matter? The simple reason they are there is to protect my interests.
If they can't do it for a few quid, how can they do it for larger sums of
money?

The Moral of the Story: Money institutes may not cover you like you think they
will.

I've learned my lesson.

Again, be -very- careful.

~~~
mikestew
_Money institutes may not cover you like you think they will._

Not if you didn't read your debit card agreement, no. Nothing you've stated
wouldn't be clearly spelled out in the agreements I've seen for debit cards. I
mean, I can see how this happens: looks like a credit card, must have the same
protections as what people online say about credit cards, right? Nope.

------
kitbrennan
I'm not surprised by this response from Deliveroo. Their focus lately has
definitely moved away from customer satisfaction.

I discovered recently that drivers are allowed - without penalty - to reject
an order when they reach the pickup location if they see the receipt and
decide it is too far to travel [1].

As a customer you just see your food go: `Assigning Driver -> Driver En Route
to Pickup -> Driver Arrived at Pickup Location -> Assigning Driver`, for two
hours on repeat. Eventually your cold food arrives 2 hours later, and you are
offered £5 credit for your ruined meal.

I live in Central London (Old Street), and have had this happen repeatedly
with restaurants that are not far from me.

[1] =
[https://www.reddit.com/r/deliveroos/comments/82w97o/riders_o...](https://www.reddit.com/r/deliveroos/comments/82w97o/riders_only_taking_close_orders/)

~~~
skh
I think I’m old fashioned but I just don’t understand the appeal of these food
delivery services. My friend’s son uses Postmates to order fast food and it
seems absurd to me.

I must be missing something about theses services given their popularity. Do
you mind explaining why you use them?

~~~
pbalau
I think you are just trying to be that guy. I go to this website, pick what I
want, pay and some time later what I ordered gets delivered to my door. What's
there to get?

~~~
ams6110
Fast food is pretty bad when it's fresh. It's awful after it's been in transit
for 20-30 minutes or more. The idea of spending $10 or more to get a lukewarm
burger and mushy limp french fries has no appeal to me.

~~~
astura
I think people are ordering from more upscale restaurants, not McDonalds.

Food temperature is a personal preference, some people are really picky about
food being hot/fresh, some aren't. I prefer the taste of room temperature food
over hot food so "sitting around for 20 minutes" would be a feature for me.

~~~
FireBeyond
You say that, but I saw someone picking up an UberEats at McDonalds...

... and then jumping into his new C300 to deliver it.

I'm not sure I can process that. New Mercedes, let's put miles on it
delivering fast food...

~~~
astura
He owns a Mercedes so he probably loves driving. Maybe if he wasn't delivering
for UberEats he'd be out joyriding in his new Mercedes without a destination.
In doing UberEats he's got a destination and he'll decrease his expenses by
like $5/hour and take another car off the road. I know a guy who spends like
half his free time driving around in a $70,000 pickup truck because he enjoys
it, doesn't have a destination, just goes for a drive for fun.

And some people like really like McDonalds and don't care for the fancy stuff.

It's not for me, but it basically it boils down to "people like different
things than me."

I know someone else who can't understand why anyone would ever play video
games "its time and effort for zero reward."

Some people enjoy doing work on their car, while others would rather pay
someone to do the work for them.

Humans aren't the same.

------
anonknowsaguy
Fun fact about Deliveroo. A lot of your drivers aren't the registered driver.
It's really common practice for a citizen or someone with a work visa to
register and then rent their phone to someone desperate with no work visa. So
your driver is often making almost nothing while someone else sits on their
ass and collects cash for doing nothing and then Deliveroo again sits on their
ass providing poor service collecting even more cash.

~~~
iagooar
> It's really common practice for a citizen or someone with a work visa to
> register and then rent their phone to someone desperate with no work visa

Do humans really have such low morality and ethics? I just can't picture a
person who does this to another human being...

~~~
gph
Did saying this make you feel better about yourself or something?

Because it's a ridiculously naive statement at best. More likely just some
sanctimonious BS you decided to post to signal how much of a good person you
are.

Like seriously, what world do you live in where you can't picture a person
doing something to take advantage of another person? Have you read literally
anything in history?

~~~
ergl
Did saying this make you feel better about yourself or something?

Because it's a ridiculously smug statement at best. More likely just some
sanctimonious BS you decided to post to signal how much of an intelligent
person you are.

Like seriously, what world do you live in where you can't picture a person
thinking that it's sad that a person takes advantage of another person? Have
you read literally anything in history?

~~~
gph
How meta. You must be a super clever person with original thoughts to add to
every discussion.

------
neya
There is one more aspect of fraud the journalist has missed - chargeback
fraud. Chargeback fraud is where companies try to lengthen the timeline of
resolution of a fraudulent incident such as this one so that it exceeds your
bank's official timeline for being eligible for getting your money back.
Usually it's about 45-60 days and varies from bank to bank.

To me, as someone who worked in this industry before, this simply seems like a
ploy by Deliveroo to escape absorbing the chargeback cost. Because, that is
exactly what would happen if you called your credit card's bank/company and
ask them to initiate a charge back for the fraudulent transactions instead of
begging Deliveroo - the money will first be refunded to you almost immediately
(varies from bank to bank) and then an investigation will be opened against
the merchant in question (in this case, Deliveroo) and when you prove your
credit card company valid proof that you're innocent by sharing logs,
screenshots, etc. the dispute would be settled and the bank will side with
you, the customer and thus this will lead to a loss on the merchant to bear
the fraudulent transacted amount.

It seems, Deliveroo may be doing EXACTLY this to avoid letting the customer
becoming eligible for a refund later through their banks by pushing them past
the chargeback window. This is actually criminal in some countries, and
grounds for a class action suit, which I hope someone sues them for if they
are found guilty of this.

The other reason for the elongated resolution timelines is because Deliveroo
actually benefits from these transactions - think about it, they earn for each
transaction and in some markets, if I'm not wrong, the larger the transaction,
the more they earn. So, why would they do something fast that affects their
revenues negatively.

Anyway, my personal experience with Deliveroo also has never been positive and
don't recommend them at all.

------
fredley
I thought this was going to be about ordering food from one restaurant, only
to have it prepared in another 'sublicensed' kitchen, sometimes a shipping
container:

[https://www.theguardian.com/business/2017/oct/28/deliveroo-d...](https://www.theguardian.com/business/2017/oct/28/deliveroo-
dark-kitchens-pop-up-feeding-the-city-london)

~~~
himlion
Is this actually shady? When doing takeaway you are not really paying for the
ambiance of the restaurant anyway and IF the quality is the same I wouldn't
necessarily have a problem with it.

~~~
Deestan
> IF the quality is the same

That's the thing. It isn't. Every franchise, big or small, has wildly
different quality of ingredients and preparation (and even send the correct
damn drink and remember the dip) among outlets, and if I order from _that_
one, I want _that_ one to prepare my food.

~~~
rubyboss
Deliveroo Editions sites are clearly marked on the app with a banner across
the main photo of the restaurant. You aren't led to believe the food is coming
from somewhere it isn't.

~~~
fredley
> banner across the main photo of the restaurant

> You aren't led to believe the food is coming from somewhere it isn't.

I think we have different definitions of what being 'led to believe' is.

------
simias
Maybe I'm missing the point but how did the fraud take place to begin with?
Somebody fished the author's Deliveroo account and used it to buy a lot of
food? If so what would be the right way for Deliveroo to solve the issue? I
mean if they just swallow the cost and reimburse her with no questions asked
it seems easy to abuse, I could just order a lot of food then later complain
that my account has been breached. Then again that's pretty much what Amazon
does in these situations in my experience but not everybody has Amazon's deep
pockets...

That's not to say that their current response (or lack thereof) isn't bad,
it's more that I'm not sure what would be a good response in this situation.

I'm also not sure how Deliveroo could be considered liable if the breach is on
the user's side (phished password) rather than a server-side vulnerability. If
I offer an online service and one user gets their password stolen, would I be
liable for that? If so, what should I do if somebody claims that their account
was stolen? What if they're actually lying to get access to a legit account?

~~~
vivan
Standard security practices: not allow delivery to a new address without
reconfirming credit card details, sending email confirmation upon login from a
new location/device, and in the more extreme cases, 2 factor auth.

~~~
simias
That makes a lot of sense now that you point it out. Thank you.

------
vivan
It sounds very much like this journalist is trying to make a mountain out of a
mole hill.

The real story is that Deliveroo does not handle fraud properly. This is a
much lesser crime than what they are being accused of.

The author wants to make it seem like Deliveroo has had a data leak and are
trying to hide the fact. There is no evidence of this, but if it did turn out
to be true then the author would be able to claim that they broke the story.

~~~
jwdunne
If I recall, there's no distinction between an en masse data leak and someone
being able to access your personal info without authority under GDPR. Both are
a data breech. It seems like many people have been affected by this too so
clearly Deliveroo doesn't have the mechanisms in place to protect user
information. The fact unauthorized people can spend your money through
Deliveroo is even worse.

Deliveroo are responsible for the data you give them. If they fuck up and
allow unauthorized people access to that data, they're in breech of the GDPR.

If they haven't informed ICO (and equivalent in any country within GDPR rules)
within 72 hours of each breech, they're in even deeper shit. First, they have
to be clear about the scale of the breech and what exactly has gone wrong.
They've got to be able to demonstrate the steps they've taken to mitigate the
issue and prevent it happening in future. If people are complaining on a
regular basis for months, they've not done that.

~~~
tomp
> there's no distinction between an en masse data leak and someone being able
> to access your personal info without authority under GDPR. Both are a data
> breech. It seems like many people have been affected by this too so clearly
> Deliveroo doesn't have the mechanisms in place to protect user information.
> The fact unauthorized people can spend your money through Deliveroo is even
> worse

Well, the distionction can be as easy as someone hacking the company vs.
guessing your password. What is the company to do to protect against the
latter?! After all, the password is the authorisation, so I would even claim
it's not unauthorised access...

~~~
snowwolf
There are many things they could do. For starters they could verify (email, 2
factor, something) unusual sign ins - for example sign ins from a new IP,
especially if that IP has a higher risk profile (data center, known vpn, tor
exit nodes, different registered country, etc.), or sign ins from a new
device.

------
aboutruby
> Deliveroo has blamed the breach on cybercriminals getting hold of login
> details “stolen from another service unrelated to our company in a major
> data breach”.

> This is despite the company not asking customers to enter a Card
> Verification Value 2 (CVV2) code when making orders, a card security system
> designed to ensure that someone ordering something online has physical
> possession of the card used to pay for it.

More info on an article from November 2016:
[https://nakedsecurity.sophos.com/2016/11/25/fraudsters-
eat-f...](https://nakedsecurity.sophos.com/2016/11/25/fraudsters-eat-for-free-
as-deliveroo-accounts-hit-by-mystery-breach/)

BBC's Watchdog documentary:
[https://www.bbc.co.uk/programmes/articles/3ZMjkWFfDZQ8zFYQJL...](https://www.bbc.co.uk/programmes/articles/3ZMjkWFfDZQ8zFYQJLWFKQM/deliveroo)
(with response from Deliveroo)

------
MagicPropmaker
> (Later – a lot later – a Deliveroo spokesman would tell me it was likely I
> had been the victim of a “credential stuffing” attack, in which hackers
> obtain lists of usernames and passwords and try them out on other
> platforms.)

So this Tech Journalist uses the same password on every site?

~~~
DoctorOetker
the real issue IMHO is the "credential stuffing attack" makes no sense: hungry
people getting their hands on leaked password dumps? a bunch of black hat
hackers running a Delivery clone, getting clean money from customers, but
really getting an innocent Delivery user get charged, and having the order be
sent to the address of the customer? none of this makes sense!

It seems to me like the corruption or fraud is _within_ Deliveroo.

------
aembleton
Another good reason to use a fintech bank account such as Monzo [1] or a
credit card such as Tandem [2] or a virtual card that can forward transactions
onto any other card such as Curve [3].

All of these services can give you a push notification every time a
transaction is made on your account so that you are immediately made aware and
are able to cancel them. You can block the card from within the app
immediately.

1\. [http://join.monzo.com/r/vrlkxvo](http://join.monzo.com/r/vrlkxvo) (Using
this link gives us both £5)

2\. [https://www.tandem.co.uk/credit-card/](https://www.tandem.co.uk/credit-
card/)

3\. [https://www.imaginecurve.com/](https://www.imaginecurve.com/) (Sign up
with WAI91 and we both get £5)

~~~
wil421
Amex has the same thing and their customer protections are generally better
than the Fintech companies. Although Amex is not so common in the U.K.

Do any UK credit card companies offer consumer and fraud protection above the
norm? Amex would immediately side with me if I showed them the Deliveroo
communication. Another Citi VISA I had offered 18 months warranties on laptops
and other electronics if I used the card.

~~~
24gttghh
Do all Amex cards have this? I've never seen this feature offered by them.

Edit: apparently they stopped doing this for average cardholders 15 years ago
and it's a corporate-card-only thing now called 'Amex Go'

~~~
duderific
Amex recently detected a fraudulent charge on my card, and sent me an email
with a "click here" button which, after I confirmed my identity, triggered the
issuance of a new card in the mail in a couple of days.

I should note I have a "Starwood Preferred Guest" Amex card, but that is not a
corporate card. It may be that the SPG card has additional features that a
regular card would not.

------
CaptainZapp
_“Deliveroo takes online security very seriously. Sadly fraudsters rely on the
fact that people reuse the same passwords on multiple online services to try
and gain entry to different accounts across the web.”_

Yeah! Blame it on your customers! Way to go!

Sigh! Another gig economy service I'm damn sure never to use.

~~~
jwdunne
That's not even an excuse. There are solutions out there that mitigate the
fact people reuse the same passwords.

~~~
philpem
I'd love to see a more specific version of Troy Hunt's "have I been pwned" API
which explicitly blocked user/password combinations which had been leaked.

The catch is, you'd have to store the pairs together which then makes you a
target, so in practice the best you can really do is what's on offer already
-- check that the password hasn't been leaked (and maybe if the email address
has a high HIBP leak count).

That solution would seem to force people into password managers and random
high-entropy passwords or passphrases...

------
femto113
Credential stuffing attacks aren't a valid excuse IMO, and should not make
this sort of fraud possible. Amazon for example instituted a very simple and
effective policy years ago: if you want to deliver something to a new address
using an existing payment method you need to reenter the payment details. This
means even if someone guesses your username and password and you have a valid
CC on file they still can't send a package to some arbitrary new address.

It's conceivable that the fraud is on the merchant side, with a restaurant
faking a large order to an existing address, but in that case Deliveroo still
has responsibility for allowing bad merchants into the system.

~~~
zackify
I actually found the other day, if I edit an existing address, it doesn’t make
me re-enter payment details. But adding a new one does. Not sure if this was
due to a trusted device or if it always does it though.

------
martinald
I can't understand this fraud - surely getting something delivered to your
door is the silliest way to defraud something? Also what are they doing with
the £100s of takeaway food they are ordering?

I must be missing something here.

~~~
conradk
From my experience with Deliveroo, you can pretty much order at any address,
wait for the delivery person at the doorstep and retrieve your order without
actually living there.

~~~
martinald
But what you going to do with 3 £100+ takeaway orders back to back? You can
hardly resell it!

~~~
djmobley
Can you not buy things like bottled and canned drinks from places on
Deliveroo? I suppose you could resell those.

~~~
martinald
Fair enough. But the markup on those items is crazy; you could order £100
worth of beer + wine and I'd be surprised if you could resell it for more than
£10-20. Seems like a really risky way to make (not much) money.

~~~
astura
You can sell in bulk to shady grocery stores and restuarants at slightly below
wholesale costs and they sell to their customers.

This is how the market for stolen gas works anyway, I'd imagine stolen cola
and beer would be similar.

------
whyleyc
This is poor form from Deliveroo - their fraud detection seems particularly
lacking, and fobbing customers off for months at a time is not good enough.

However the article is unnecessarily sensationalist in banding around GDPR
data breaches. Much of the article intimates there has been a Deliveroo data
breach, whereas in fact the most likely explanation is attackers reusing
passwords leaked from other breaches. This is acknowledged towards the end of
the article but quickly glossed over.

If consumers are reusing exposed passwords this makes life tricky for
Deliveroo. Maybe they should be using Troy Hunt's "Pwned passwords" to protect
new user signups:

[https://www.troyhunt.com/ive-just-launched-pwned-
passwords-v...](https://www.troyhunt.com/ive-just-launched-pwned-passwords-
version-2/)

~~~
edd
From this Deliveroo engineering blog post:

[https://deliveroo.engineering/2017/09/05/improving-
password-...](https://deliveroo.engineering/2017/09/05/improving-password-
security.html)

"Therefore, from today, we will be informing our customers when we determine
that the password which they use for Deliveroo is publicly known in some way.
We will contact the impacted customers to request that they change their
password, and advise that they also change that password at other sites where
it is also used."

~~~
whyleyc
Thanks for posting this - I hadn't realised they were already doing it. I'm
not sure how else they could be combatting password reuse attacks, short of
forcing every user to reset their password.

It sounds like their engineering time might be better spent on fraud detection
algorithms.

------
JackFr
Calling the police seems like an important thing the author didn't seem to do.
This is not a nuisance, it's a crime. I am less interested in fining
Deliveroo, rather I would like to see them forced to cooperate with law
enforcement to prosecute thieves.

------
loktarogar
Of all the job interviews i've done, Deliveroo stands out as the only company
that gave me a trick interview test - said specifically not to write a
feature, and when I didn't, they rejected me on that ground.

Not surprising their whole business is like this.

~~~
datenhorst
Why would they do that anyway?

~~~
loktarogar
As they explained it, they wanted people who "went above and beyond"

~~~
kaybe
To the point of ignoring clear directions? Ok..

------
HenryBemis
Fun fact regarding newstatesman.com

I am a user of NoScript, AdBlockPlus (still using 2.9.1), with its "Element
Hiding Helper for Adblock Plus".

My NoScript had already blocked 24 domains, which I guess I have added in the
years before. I proceeded to block another 6-7. When the site reloaded, and
was perfecly visible, the count was "Untrusted (13)". Which means the original
6-7 that I 'just' blocked were loading at least another 12.

And then companies are wondering why Noscript, uBlock, etc. are so popular and
complain about when we care about our privacy!

------
DoctorOetker
I don't understand? hungry people are buying leaked credentials? black-hat
hackers are selling meals through a competing service to customers who then
open the door for a Deliveroo guy? None of this is making sense!

Either the fraud is within Deliveroo (dig deeper!), or locating the served
customer will result in the discovery of some kind of weird low-usage "stolen
credential delivery of Deliveroo foods" service (dig deeper!)

This is not properly fleshed out IMHO... but yeah lets market and compare
credit and debit cards and point systems and pffff

------
ensiferum
Disrupt disrupt disrupt. Avoid any liability for any damages or frauds, employ
gig workers, grow 10x, be a unicorn make the investors wealthier than before
and outsource the negative externalities to society.

------
tyfon
I'm a bit confused, probably since I don't have Apple pay.

Does it not use credit cards? It should then be very easy to dispute the
charge with the bank.

~~~
K0nserv
I use Apple Pay with both my debit cards. This is in the UK.

~~~
djmobley
I wouldn’t use my debit card for any purchases. More protections and less
hassle using a credit card.

~~~
quietbritishjim
The big issue for me is that I have a joint bank account with my partner, so
using my debit card for that automatically splits the bill. I suppose we could
each get a second credit card that we use only for joint transactions and pay
those off from the shared account, but that means that the joint balance is
now effectively split over three accounts, and at any time each of us can only
see the balance on two of them (not the other's credit card). So it's
definitely not "less hassle" in that respect.

~~~
rpeden
I think every credit card I've had has given me the option of adding a second
card for a spouse to use. Maybe something like that?

Then just make sure you both have access to the online account so you can both
view the balance at any time. There's a small amount of extra friction in that
you'll have to coordinate a bit to ensure the card is always paid off
equitably, but it probably wouldn't be too big a hassle.

~~~
tyfon
That's possible at my bank at least, my wife and I have a common account with
two visa debit cards attached (no credit on it).

It's not so much for splitting the bill (I pay the most of what goes in
there), but it makes putting it in our accounting system much easier :)

~~~
quietbritishjim
Who said the split has to be equal :-) But it sounds like you have what I
already have: a joint current account with two debit cards (one for each
person).

------
rzwitserloot
It sounds like the GDPR is more or less unrelated and those fines are not
forthcoming.

If deliveroo's own analysis is correct (and that is admittedly an 'if', but if
you come out and say 'we hash our passwords, and you can quote me', let's
assume they aren't complete morons in thinking that nobody on their staff
would ever leak it if they didn't), then the problem is not that there has
been a security breach over at deliveroo. The problem is merely that

[1] Their handling of a breach of account info that they weren't the cause of
is very bad, both not investigating / blocking the recipients of the food
orders (clearly 'whitewashing' fronts), or even trying to take it seriously,

and

[2] doing a bad job at enabling (or even motivating) their users to have good
account security. Anywhere from scanning such credentials lists out in the
wild and autoblocking any user/pass combo that is also a valid deliveroo
login, to offering TOTP.

Both are, to be clear, very bad. Deliveroo deserves all the scorn they are
getting. But neither of these issues is something you can be fined for, at
least, not via GDPR.

------
OptionX
I find it funny how the new "I know I guy" is the "I tweeted to my many
followers" when it comes to dealing with problems.

------
K0nserv
I found Deliveroo sending highly detailed location information to a marketing
company(Braze) yesterday[0]. I can't remember every giving explicit consent
for this and AFAIK under GDPR just covering this in a Privacy Policy is not
enough.

On the topic of this story it seems like a case of credential stuffing so it's
not a breach in Deliveroo's systems. Do the requirements as a "Data
Controller" still apply in such as case? Regardless Deliveroo seems to be
handling this poorly.

0:
[https://twitter.com/K0nserv/status/1087753850088554496](https://twitter.com/K0nserv/status/1087753850088554496)

~~~
scrollaway
> _I can 't remember every giving explicit consent for this and AFAIK under
> GDPR just covering this in a Privacy Policy is not enough._

I don't believe Deliveroo is obligated to tell you who they send such
information to. They are however obligated to tell you that they gather such
information and, should they share it with a third party, ensure that said
third party is GDPR compliant and sign a data processing agreement with them.

Deliveroo doesn't mention Braze directly by name in their privacy policy
([https://deliveroo.co.uk/privacy](https://deliveroo.co.uk/privacy)), but they
do let you know that they disclose "information they collect" to, among
others, "Marketing and advertising partners".

They also mention in the same privacy policy that they "also collect technical
information about your use of our services through a mobile device, for
example, carrier, location data and performance data".

Braze themselves does appear committed to GDPR. That isn't especially
surprising, it's a huge selling point for marketing companies towards
enterprise customers. [https://www.braze.com/product/data-agility-
management/regula...](https://www.braze.com/product/data-agility-
management/regulations-and-compliance/gdpr/)

IANAL but I don't believe Deliveroo is in breach of GDPR. The best you can
probably do is make a case that they do not have a reasonable justification to
collect such highly-accurate location data for that particular use case, and
should tone it down to, say, 5km instead of 1m accuracy. If you email
dpo@deliveroo.com with such a request, there's a decent chance you could get
the change done.

~~~
K0nserv
Doesn't GDPR require explicit cosent[0] for collection of sensitive private
information? This is what many website has implemented as popups with "I
accept" or "Manage Settings" options. I don't remember going through such a
flow with Deliveroo and if I did I would have disabled the "marketing"
category for sure.

0: [https://www.i-scoop.eu/gdpr/explicit-
consent/](https://www.i-scoop.eu/gdpr/explicit-consent/)

~~~
scrollaway
Hm, I tried to create an account to check the signup flow but it looks like
you need to place an order to create an account (and I'm not that hungry)
(also, that's a really fun and interesting way of massaging growth numbers…).

To add to what detaro was saying; even if explicit consent were required for
sharing your location data, Deliveroo most likely got it; they after all need
it to know where your order is going to go. When such functionality is core to
the app, an opt-out is not necessary.

What they might not have gotten, or at least not clearly, is your consent to
send that data to a third party, explicitly and exclusively for marketing
purposes. I don't know how this would play out.

Realistically, GDPR and its enforcers err on the side of caution (you need
good justification to gather the data and share it, including consent and a
reason to gather it in the first place). So if you care about this and wish to
see it corrected, as I said an email to their dpo@ will likely go a long way.
In case it doesn't, your national enforcement agency may be interested.
Extremely-accurate location data is pretty creepy, especially if they get it
very often and doubly so if they store it for a long time.

The #1 thing I would look at here is what they actually need it for. They may
need it for security reasons (eg. anti-fraud measures) and happen to be
storing it in Braze which is _probably okay_ if Braze respects GDPR and
Deliveroo signed a DPA with them (you'd be surprised the amount of companies
storing security data in GA).

But you wouldn't have a very hard time making a case that they're using this
for marketing purposes and are gathering an unreasonable amount of accuracy.
So now the question is, do you care about this enough to follow up on it? :)

~~~
K0nserv
> To add to what detaro was saying; even if explicit consent were required for
> sharing your location data, Deliveroo most likely got it; they after all
> need it to know where your order is going to go. When such functionality is
> core to the app, an opt-out is not necessary.

Per GDPR[0] consent must be specific. i.e. aquiring constent for a legitimate
feature of an app and then also using the data for marketing purposes, what
seems to be happening here, is not legal. Of course it could be the case that
Deliveroo uses Braze for all their push notifications and thus consider it an
essential part of their product. IANAL, but as I read the GDPR giving an app
location access required for legitimate functionallity is not a carte blanche
for the app to use location data for any purpose without obtaining consent for
each specific usage.

In any case, like you say it's extremely creepy and the level of accuracy is
worrying.

0: [https://gdpr-info.eu/issues/consent/](https://gdpr-
info.eu/issues/consent/)

~~~
scrollaway
I just replied elsewhere in the thread regarding this. Consent to collect was
acquired, but nothing actually says they're processing this data for marketing
purposes if you haven't opted in to it.

I've seen this pattern quite often: The opt in/out flag is stored somewhere
and companies invalidate the data they have based on that in the marketing
tooling itself; collection still happens regardless. I've not used it but it's
even possible Braze has information on the optin/optout and the ability to
immediately reject data about optouts.

The reality is that, while the clean and intuitive privacy practices we're
talking about are compliant, they're not _required_ for compliance. Companies
go the least-effort route. Deliveroo has clearly done a GDPR pass on their
practices so I highly doubt they're _using_ the data in question for marketing
(even if they're collecting it).

But I'm still encouraging you to go and talk to them about it. I promise you
if you're polite and clear about what and where the issue is, you can likely
get some changes done. It's pretty fulfilling, too :)

------
resca79
I did one order in Milan with deliveroo, from that day I receive kind of
emails and phone calls from different call centers.

------
thisisit
I am wonder if good fraud detection is one of things routinely ignored by
unicorns trying to get explosive growth. First, we had ridersharing companies
where drivers could start rides without their customers. Then were digital
wallets getting hacked left, right and center (in India).

------
vivan
Interestingly the same author had a very different opinion when the same was
happening to someone else. [https://www.newstatesman.com/science-
tech/internet/2018/09/g...](https://www.newstatesman.com/science-
tech/internet/2018/09/gdpr-easier-access-data-hackers-access-online-security-
spotify)

> Although what Spotify has done, or failed to do, by handing over data to
> whoever is logged in on an account, could be considered irresponsible, it is
> in no way illegal – and, in all likelihood, is generally the norm.

------
randyrand
Pretty bad pronoun use in the headline.

------
johnnycab
_Midway through writing this story, I got my money back, by the way – and from
Deliveroo itself. Other victims have not been so lucky._

The author's experience is not uncommon and seems sensationalised to create a
Twitter storm and garnering sympathy, which is uncharacteristic for a journo,
who writes about 'tech and digital culture'. It would have been more apt to go
into triage mode i.e. stop the bleed of finances and dispute transactions
immediately, before entering into communications with the delivery firm. After
a resolution, choose to go turbo and further explore the implications of GDPR,
then write about your experience in detail.

The article does not leave the reader any more informed or equipped to deal
with such a fraud. It does not even pretend to offer any piecemeal advice e.g.
don't use/re-use easily guessed passwords, use 2FA, use credit cards or
virtual/disposable cards, contact your bank/issuer first, don't bother
contacting low-level support via social media, explore data protection laws
after a resolution etc.

------
sschueller
After Brexit (March 29, 2019) is the GDPR still valid?

~~~
s_dev
Presuming the UK actually exits. They can still withdraw A50 -- or possibly
extend it but the EU has cast doubt on this.

Even if it does exit -- EU will have incredible influence over the UK and can
effectively enforce GDPR on most companies over a certain size as those
companies will have to create entities and corporate structers in the EU for
varying reasons -- mostly tax minimisation for exporting.

Little sole traders with no amibition of expanding outside the UK will
probably have the benefit of not having it enforceable on them.

Again this presumes the UK chooses not to implement it's own data protection
laws.

------
adlkjnndnnd
Zero proof seems to be given in the article that it is Deliveroo's fault.
While they probably should be more helpful, spreading the accusations based on
guesswork seems to be yet another example of shoddy modern journalism.

------
malka
this website makes it a point to make it as annoying as possible to disable
all tracking. No option to disable all.

full article for whose whom want to read it but not be tracked:

Deliveroo users are getting defrauded – and it could be fined millions for it

Scammers are using the delivery service to clear out bank accounts, and the
company’s response may be in breach of GDPR regulations. By Sarah Manavis
Follow @@sarahmanavis Getty Images

On Friday morning, I woke up late, rushed to the tube, tapped in with Apple
Pay, only to discover a few minutes later that my payment had been declined
because I had insufficient funds. Figuring, “Well, it’s January”, I went to
check my bank balance.

But rather than seeing an overspend or a direct debit I’d forgotten about, I
saw three enormous charges from the food delivery service Deliveroo from the
night before. They weren’t mine.

I immediately called Deliveroo to say that it wasn’t, in fact, me who ordered
£100 worth of food in the space of ten minutes in three separate orders; and
told them that the fraudsters had changed my email address, so I couldn’t even
get into my account to look at where it was sent. I was told that they would
investigate, and I would be sent an email asking for more information
immediately.

I was not. After an hour, I rang again, to find that actually the email had
been sent to the new email address – the one the fraudsters plugged in – so
that they had presumably been alerted to the investigation. I complained, got
the email re-sent to me, and was then met by radio silence for the rest of the
day. When I eventually rang again, the company said it couldn’t actually tell
me whether or not I would get my money back, adding that I might not hear from
them for nearly a week before they let me know either way.

By 5pm, I was getting fed up, so I did what any journalist with a modest
Twitter following would do, and tweeted. What I thought would happen was that
my case would be bumped on the list, and maybe I’d get my money back sooner
(or, indeed, at all). What actually happened was that my replies, DMs and
email were all immediately flooded with people who had been a victim of the
same fraud, saying, yes, this had happened to them too and no, Deliveroo had
never refunded them. Of the roughly 40 people I spoke to, not a single one had
been refunded by the delivery service; those who did get their money back had
got it from their bank. The people tweeting the account claimed to have
experienced fraud ranging from the low hundreds of pounds, like my case, to,
in some cases, thousands. One person tweeted me to say that a friend of his
was fraudulently charged £3,500 on his account. “Deliveroo offered him a £40
credit as a gesture.”

More shockingly, nearly half of these people told me that their cases were
still technically “under investigation” by Deliveroo, some for over two
months. Most of those who had been waiting for more than a week to hear about
their case told me Deliveroo had simply stopped responding to their calls.

This problem is not actually new. In 2016, the Telegraph ran an expose of
rampant fraud on the food-delivery service, and reported on customers’ shock
at Deliveroo’s poor handling of the situation. The same day, a BBC Watchdog
programme did a feature on Deliveroo fraud, in which Deliveroo claimed that
“instances of fraud on our system are rare”.

But dating back several years, Deliveroo’s customer service Twitter account,
@DeliverooHelp, has responded to claims of fraud nearly every day – often, in
recent months, multiple times a day. They may represent only a small
percentage of Deliveroo’s wider customer base, but it’s not at all obvious
this is “rare”.

However, help for customers – and fines for the delivery service – could be
coming from Brussels. Laura Irvine, a regulatory lawyer and Partner at
Davidson Chalmers, tells me that Deliveroo may have breached the GDPR
regulations introduced last year on multiple counts.

The General Data Protection Regulation (GDPR), which became European law on 25
May 2018, made sweeping changes to data protection rules across the EU: now,
companies are more liable for protecting the data they hold on customers than
ever before.

Irvine tells me that Deliveroo appears to have breached these regulations
three times over. The sixth principle of Article 5, for example, requires
companies to have “appropriate security in place to keep your financial and
other personal data secure”, she notes. The firm also appears to have breached
Article 32, “which provides more detail about what is expected in terms of
data security – namely encryption, which appears not to have been in place”.

Lastly, there’s Article 34, which requires the “data controller” – that’s
Deliveroo – to tell “anyone who may be affected by a data breach about it
without undue delay. This applies when the breach is likely to result in a
high risk of an impact on the individual. Getting your bank account emptied
would, I suggest, meet that threshold.”

So what fines could Deliveroo face, if it were to be found guilty of these
data breaches? “It could be millions of pounds,” Irvine says.

She emphasised that this is a big “could” – the millions of pounds they could
be fined would be the upper end of the spectrum. But it is entirely possible,
especially given the criticism the Information Commissioner’s Office (ICO) has
faced for the small size of its fines in the past. “They were criticised for
the small fine imposed on Facebook – £500,000 which was the maximum under the
old law,” she tells me. “So I think they will want to use their powers. And
they need to keep up with the other regulators,” she adds, noting that Google
recently faced a €50m fine in France for breaching GDPR.

That said, there are some things that could spare Deliveroo from this fate:
if, say, Deliveroo had told the ICO about the data breach within 72 hours, the
threshold for fines would be lowered. But, Irvine says, the high volume of
incidents and the reported response from Deliveroo suggest they aren’t
informing the ICO of their data protection problems.

“They may blame other parties, but at the end of the day if you give them your
data then they remain responsible – in most cases,” she says. “I am not sure
how the bank would stop this.”

I put all this to Deliveroo. A spokesperson told me: “Deliveroo takes online
security very seriously. Sadly fraudsters rely on the fact that people reuse
the same passwords on multiple online services to try and gain entry to
different accounts across the web.”

Ultimately, though, fines are not the only problems that data leaks of this
sort pose to firms like Deliveroo. “Soon people will stop using companies
based on how responsible they are with data,” she says. “Particularly
financial data – but even your address being out there can be uncomfortable or
dangerous for some people.” If she’s right, then this, for Deliveroo, could be
just the beginning.

Midway through writing this story, I got my money back, by the way – and from
Deliveroo itself. Other victims have not been so lucky.

------
EthanV2
By the sounds of it this is a simple credential reuse attack (it's even states
as such in the article) so I really don't see where these accusations of a
"data breach", and "encryption, which appears not to have been in place” come
from. If these fraudulent transactions are the result of credential reuse I
really don't see the GDPR violation here.

~~~
maaaats
Yeah, not to defend Deliveroo (that's still abhorrent customer service), but I
fail to see how they can back up the allegations of the various breaches. How
do they know encryption was not in place?

------
netik
All of this discussion about the company here (which isn’t responding in a
correct and honest way) and not much discussion on the root cause of this
problem.

The journalist and the 40+ People were victims of a credential stuffing attack
which means they used the same password on multiple sites.

Had they used a password manager to roll a new password per site and had
deliveroo had proper rate limiting, this attack would have been mostly
mitigated.

There’s not much excuse for this behavior.

------
sergioisidoro
This kind of articles and journalism makes me a bit uneasy.

This article only exists because the Journalist was affected. If anyone would
contact the this paper saying company X has fraudsters leveraging their
service (which is not uncommon), this article would never have been written.

That aside, I've been on the other side, resolving cases like this. Sometimes
cases are complex, take months to figure out while involving multiple
stakeholders (police, banks, payment processors, etc), and you have no idea
who to trust on the other side of a phone line (it can be a victim, it can be
the fraudster).

~~~
Doctor_Fegg
This kind of reflex journalism hate makes me uneasy.

> If anyone would contact the this paper saying company X has fraudsters
> leveraging their service (which is not uncommon), this article would never
> have been written.

You don't know that. The New Statesman is an excellent magazine and has run
plenty of investigations in its time.

~~~
sergioisidoro
It's not journalist hate, and I'm not attacking The New Statesman, I'm
criticising _this_ article.

If the article would be about the growing problem of online fraud (which is
growing quite steadily), and not only about Delivaroo, I would be happy.

Yes, I do know that, because as I said I've been on the other side and the
number of articles covering individual companies being targeted by fraudsters
is low compared with the number of cases.

Regardless of the motives that sparked the article, it still brings attention
to the topic, which is positive.

