App Data Leak: How a Delivery Service Slopped Up on Security

Data leak at the German grocery delivery service Gorillas: Because the app had some gaps, data from over 200,000 customers was publicly accessible. Every company’s nightmare came true for this start-up - but the incident also showed how important it is not to take risks when protecting personal data.

Inadequate Cybersecurity in Delivery Service App

2021 was not a good year for Gorillas, even though it all started so magically: Founded in Berlin in March 2020, the start-up received an incredible 244 million euros in the second round of investors and was seen as a unicorn in financing circles. Gorillas quickly became one of the most successful grocery delivery services in Germany, due to its supermarket prices, fast delivery (goods should reach the customer within ten minutes of completing the order) and the fact that no additional delivery costs apply.

Unfortunately, the euphoria got its first damper in early 2021 when it turned out that the Berlin start-up had a massive data problem. A group of tech-savvy German researchers from Ulm took a closer look at the Gorillas app and discovered: There was an urgent need for some catch-up work. “Zerforschung” (a word play from the German words "Zerstörung" (destrucion) and "Forschung" (research) literally translates as: Destruction Research) is the name of a German collective that regularly puts technical devices and IT programs through their paces. The researchers struck gold with the delivery service.

Security Hack Reveals Data Leak

Over one million order details from 200,000 customers were obtained by the collective from Gorillas during a review of the app. Particularly explosive: Among the data that Zerforschung received via the app were photos of front doors and doorbells. These probably came from drivers who were apparently supposed to document the order delivery. This kind of data would of course be a godsend for real cyber criminals. Because anyone who got their hands on all this customer data could contact the customers in Gorilla’s name - and get them to pay an invoice twice for example.

Zerforschung documented their “security hack” on their website and, according to their own statements, forwarded it to the Federal Administration’s Computer Emergency Response Team (CERT-Bund). The CERT-Bund then informed Gorillas about the data leak. According to a statement on Berlin.de, the start-up reacted immediately and announced that the security gap had now been closed. “To the best of the company’s knowledge, no data was stolen or otherwise misused,” Gorillas continued. By the way: Gorillas is actually the second delivery service where Zerforschung found a data security issue. In March 2021, the collective documented a similar data leak with its competitor Flink.

Tip:

Read the following article to find out which cyber risks your company is exposed to and how you can best prepare your business for them: IT Risks: Lessons Learned and Precautions For Your Business

An Embarrassing Glitch but No Real Damage

Of course, both companies were fortunate in their misfortune, as there doesn’t appear to be any real harm caused aside from the embarrassment. In the event of an actual hacker attack, the whole thing could have been significantly more expensive: Because hacker attacks no longer only affect larger companies, but also small companies and freelancers from the IT sector. The potential damage from cybercrime includes:

Better Protection against Cybercrime with exali

In addition to Professional Indemnity Insurance via exali, you can book the optional First-party Cyber and Data Risks Insurance (FPC) add on. It offers you additional protection against the incalculable risks of cybercrime. First-party claims are insured - i.e. damage caused to your own IT systems by, for example, hacker attacks, ransomware, malware, phishing or theft of data carriers. The insurer not only covers the costs associated with restoring or repairing your IT systems, but also the costs of hiring external computer forensic specialists and specialised lawyers, as well as crisis management and PR.