Mercato Data Breach: Years of Customer Data Exposed

Data Breach at Mercato Exposes Customer Order Information

A recent security vulnerability at Mercato, an online grocery delivery service, resulted in the exposure of data pertaining to tens of thousands of customer orders, as discovered by TechCrunch.

Details of the Incident

According to an informed source, the incident occurred in January. A cloud storage bucket belonging to the company, hosted on Amazon’s cloud infrastructure, was inadvertently left publicly accessible and without adequate protection.

While the data exposure has been addressed by the company, customers have not yet been formally notified of the breach.

About Mercato

Established in 2015, Mercato facilitates online ordering for over one thousand independent grocers and specialty food retailers. This allows them to offer pickup and delivery services without relying on larger platforms like Instacart or Amazon Fresh.

The company currently operates in major metropolitan areas including Boston, Chicago, Los Angeles, and New York City, where its headquarters are located.

Scope of the Data Exposure

TechCrunch acquired a copy of the compromised data and validated a portion of it by cross-referencing names and addresses with existing account information and publicly available records.

The dataset encompassed over 70,000 orders placed between September 2015 and November 2019. It contained sensitive customer information such as names, email addresses, and residential addresses.

Furthermore, detailed order information and the IP addresses used by customers during order placement were also included in the exposed data.

The compromised data also extended to personal information and order histories of Mercato executives.

Uncertainties Surrounding the Breach

The cause of the security lapse remains unclear, as Amazon’s cloud storage buckets are configured as private by default. The timeline of when Mercato became aware of the exposure is also currently unknown.

Legal and Disclosure Requirements

Regulations mandate that companies disclose data breaches and security incidents to state attorneys general. However, no public notices have been issued in jurisdictions where such disclosure is legally required, including California.

The dataset contained information on over 1,800 California residents, exceeding the threshold for mandatory disclosure under the state’s data breach notification laws.

It is also uncertain whether Mercato informed its investors about the incident prior to its recent $26 million Series A funding round.

Velvet Sea Ventures, the lead investor in the funding round, has not yet responded to requests for comment.

Mercato’s Response

Mercato CEO Bobby Brannigan acknowledged the incident in a statement but refrained from providing specific answers, citing an ongoing investigation.

“We are conducting a complete audit using a third party and will be contacting the individuals who have been affected. We are confident that no credit card data was accessed because we do not store those details on our servers. We will continually inform all authoritative bodies and stakeholders, including investors, regarding the findings of our audit and any steps needed to remedy this situation,” stated Brannigan.

If you possess information regarding this or other security matters, please share it securely. You can send tips via Signal and WhatsApp to +1 646-755-8849, or utilize our SecureDrop for file and document submissions. Learn more about secure communication methods.