Deliveroo Hacking Concerns Raised By BBC Watchdog Investigation

The firm urges customers to use strong passwords for every service they use.
Bloomberg via Getty Images

Deliveroo customers have had their accounts compromised with fraudulent charges made for food and drink, a BBC investigation has revealed.

The food delivery app has enjoyed a booming success since its launch in 2013, and employs some 5,000 drivers across Europe and Asia.

But now BBC ‘Watchdog’ has revealed customers in the UK have fallen victim to fraud costing hundreds of pounds in some cases.

<strong>The sight of Deliveroo drivers has become a common one in the UK's big cities</strong>
The sight of Deliveroo drivers has become a common one in the UK's big cities
Mike Kemp via Getty Images

Deliveroo customer Judith MacFadyen from Reading told programme: “I noticed that I had a ‘thank you’ email from Deliveroo for a burger joint in Chiswick.

“I thought this is really odd, so I went onto my account and had a look and there had been four orders that afternoon to a couple of addresses in London.”

Fraudsters had hacked into Judith’s account and ordered chicken, burgers, chips, milkshakes and more to addresses 30 miles away from her home.

<strong>Hackers may have obtained log in information via other more vulnerable apps and services, Deliveroo said</strong>
Hackers may have obtained log in information via other more vulnerable apps and services, Deliveroo said
Blend Images - John Lund via Getty Images

The hack resulted in more than than £240 being taken from the debit card Judith linked to her account.

Judith added: “I was pretty shocked. Did that mean they had all the card details? I was straight on to the bank to get that card cancelled.”

Deliveroo said account passwords were obtained through fraud on other platforms and services.

<strong>Deliveroo has seen huge growth in the past few years</strong>
Deliveroo has seen huge growth in the past few years
Zoonar RF via Getty Images

However, Judith was found to be far from alone in reporting alleged fraud via Deliveroo.

‘Watchdog’ spoke to four other customers who claimed purchases were made on their Deliveroo accounts without their authorisation.

Margaret Warner from Manchester was charged £113.70 for chicken, waffles and chips that she didn’t order.

Steve Tappin was charged £98 for a delivery from a TGI Friday - 86 miles away from his home in London. They were both refunded.

Flatmates Mary and Michael are both students at Southampton University and share a Deliveroo account for their takeaways.

Mary told ‘Watchdog’: “At 2:30am one morning we got a stream of emails saying that we had made various Deliveroo orders.”

Scammers had hacked into their account and ordered four curries, six naans and a kebab to an address in Leicester - some 120 miles away.

Plus, three grilled chickens, four pizzas, five cheesecakes, garlic bread and eight bottles of Vodka to multiple locations across London – over 60 miles from their home.

The pair lost £440 in total when Deliveroo’s systems completely failed to pick up on multiple orders being made to addresses miles apart from each other all on the same night.

To stop any further payments coming out they called the bank to cancel their cards. The money was returned to the students 10 days after it was taken.

Mary continued: “It’s been awful, they took nearly everything and then I’ve had to pretty much beg borrow and steal off fellow flatmates, friends and parents as well.”

Internet security expert David McClelland said: “When we buy things online the more hoops we have to jump through to complete that purchase the more likely we are to go away and do something else instead.

“Deliveroo realises that – so tries to remove as many of the hoops as possible. However some of the hoops that Deliveroo are removing are there specifically for security purposes.

“So while it may be making it easier for us to place orders, it’s also making it easier for us to be defrauded.”

David explained that the firm could be going further to prevent fraudulent transaction, including requiring the CVV2 code on bank cards that makes it easy for us to buy things securely online, and checking the address on orders isn’t somewhere suspiciously far away from address of the registered account.

A Deliveroo spokesperson said the firm uses the latest anti-fraud measures and that incidences are rare.

They added: “Where customers have encountered a problem we take it very seriously.

“We are aware of these cases raised by ‘Watchdog’ - they involve stolen food, not credit card numbers.

“These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach.

“The stolen password is then used to fraudulently access someone’s account.

“This is why we urge customers to use strong and unique passwords for every service they use.

“On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities.”

‘Watchdog’ airs on BBC One at 8pm on Wednesday.