TechCrunch has learned that a security breach in online grocery delivery startup Mercato has revealed tens of thousands of customer orders.
A person familiar with the incident told TechCrunch that the incident occurred in January after one of the company’s cloud storage compartments, hosted on Amazon’s cloud, was left open and unprotected.
The company fixed the data spill, but has yet to alert its customers.
Mercato was founded in 2015 and helps over a thousand small grocers and specialty food stores go online for pickup or delivery, without having to sign up for delivery services like Instacart or Amazon Fresh. . Mercato operates in Boston, Chicago, Los Angeles and New York, where the company is headquartered.
TechCrunch obtained a copy of the exposed data and verified part of the records by matching names and addresses with known existing accounts and public records. The dataset contained over 70,000 orders from September 2015 to November 2019, and included customer names and email addresses, personal addresses, and order details. Each record also had the IP address of the user of the device used to place the order.
The dataset also included personal data and order details of the company’s executives.
It is not known how the security breach occurred since Amazon’s cloud storage buckets are private by default, or when the company learned of the exposure.
Companies are required to disclose data breaches or security breaches to state attorneys general, but no notices have been published where required by law, such as in California. The dataset had more than 1,800 California residents, more than three times the number needed to trigger mandatory disclosure under state data breach notification laws.
It is also unclear whether Mercato disclosed the incident to investors ahead of its $ 26 million Series A raise earlier this month. Velvet Sea Ventures, which led the round, did not respond to emails seeking comment.
In a statement, Mercato chief executive Bobby Brannigan confirmed the incident but declined to answer our questions, citing an ongoing investigation.
“We are carrying out a full audit using a third party and we will contact those affected. We are convinced that no credit card data has been accessed as we do not store this information on our servers. We will continuously inform all authoritative bodies and stakeholders, including investors, of the conclusions of our audit and of the actions necessary to remedy this situation, ”said Brannigan.
Know something, say something. Send advice securely via Signal and WhatsApp at +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.