Deliveroo customers billed for unordered food
- Published
Customers of takeaway food app Deliveroo have had their accounts hacked and run up bills for food that they did not order, according to an investigation by the BBC's Watchdog programme.
One user said that £200 was spent on burgers delivered to several addresses.
The firm said the hacks were carried out using passwords stolen in previous data breaches on other companies.
One expert warned that the firm must improve security.
Deliveroo was launched in 2013 as a takeaway app, offering to find all nearby locations for users wanting to order food. It rapidly expanded to dozens of towns and cities across the UK.
User Judith MacFadyen, from Reading, told Watchdog: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."
Margaret Warner, from Manchester, was charged £113.70 for chicken, waffles and chips that she did not order while Steve Tappin was charged £98 for a delivery from TGI Friday which was 86 miles away from his home.
All of them had their money refunded.
Deliveroo denied that any financial information had been stolen.
"Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem, we take it very seriously," it said in a statement.
It added: "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach."
It urged customers to use "strong and unique passwords for every service they use".
But technology expert David McClelland told Watchdog that Deliveroo could do more.
"When we buy things online, the more hoops we have to jump through to complete that purchase, the more likely we are to go away and do something else instead.
"Deliveroo realises that - so tries to remove as many of the hoops as possible. However, some of the hoops that Deliveroo are removing are there specifically for security purposes. So while it may be making it easier for us to place orders, it is also making it easier for us to be defrauded."
The programme will be shown at 20:00 on BBC One, on 23 November.
- Published8 November 2016
- Published15 November 2016