Mercato exposed thousands of customer orders, a security lapse at online grocery delivery startups, ClearTips has learned.
A person with knowledge of the incident told ClearTips that the incident occurred in January after one of the company’s cloud storage buckets, hosted on Amazon’s cloud, was left open and unsafe.
The company fixed the data spill, but has not yet alerted its customers.
Makato was founded in 2015 and helps get over a thousand small grocers and specialty food stores online for pickup or delivery without signing up for delivery services like Instacart or Amazon Fresh. Mercato operates in Boston, Chicago, Los Angeles and New York, where the company is headquartered.
ClearTips obtained a copy of the exposed data and verified a portion of the record by matching names and addresses against known current accounts and public records. The data set included more than 70,000 orders between September 2015 and November 2019, and included customers’ names and email addresses, home addresses, and order details. Each record also contains the IP address of the user to whom the device was ordered.
The data set also included personal data and order details of company executives.
It is unclear how the security lapse occurred since the storage bucket on Amazon’s cloud is private by default, or when the company learned of the risk.
Companies are required to disclose data breaches or security lapses to the state’s Attorney-General, but no notice has been published when required by law such as California. The data set had more than 1,800 residents in California, more than three times the number required to trigger mandatory disclosure under the state’s data breach notification laws.
It is also not known if Mercato revealed the incident to investors before raising $ 26 million Series A earlier this month. Velvet C Ventures, which led the round, did not respond to emails requesting comments.
In a statement, Mercato chief executive Bobby Branigan confirmed the incident but refused to answer our questions, citing a continuing investigation.
“We are conducting a full audit using a third party and will contact the affected persons. We believe no credit card data was accessed because we do not store those details on our servers. We will continuously inform all official bodies and stakeholders, including investors, about the findings of our audit and any steps necessary to measure this situation, ”said Branigan.
Know something, say something. Send suggestions safely to +1 646-755-8849 on Signal and WhatsApp. You can also send files or documents using our SecureDrop. learn more.