Deliveroo customers charged for food they did not order, probe finds

Updated: 

Deliveroo customers have suffered account breaches and been charged for food and drink they did not order, an investigation by BBC One's Watchdog has found.

The takeaway food app launched in 2013 and works based on a customer's location, showing nearby food outlets available to deliver to them.

But an investigation by Watchdog claims that some users of the service have had their accounts hacked, with fraudsters able to order hundreds of pounds of food and drink to addresses around the country.  

Users can save payment information to the app, which despite not being fully visible when ordering, only needs to be tapped on to confirm it as a payment method. 

Deliveroo user Judith MacFadyen from Reading told Watchdog that her account was breached and more than £200 spent on burgers before being delivered to several London addresses.

"I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought this is really odd, so I went onto my account and had a look and there had been four orders that afternoon to a couple of addresses in London," she said.

"I was pretty shocked. Did that mean they had all the card details? I was straight on to the bank to get that card cancelled."

Deliveroo has denied that any financial information had been compromised in these incidents, instead saying stolen passwords from other data breaches have been used to access the accounts and order food.

"Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously," the company said in a statement.

"We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."

But technology expert David McClelland told Watchdog the app still needed to increase its payment security. 

"When we buy things online the more hoops we have to jump through to complete that purchase the more likely we are to go away and do something else instead," he said.

"Deliveroo realises that - so tries to remove as many of the hoops as possible. However some of the hoops that Deliveroo are removing are there specifically for security purposes. So while it may be making it easier for us to place orders, it's also making it easier for us to be defrauded."

Mr McClelland said the app should consider asking users to enter their bank card security code or checking addresses on order for signs of suspicious activity.

The delivery app said it is already using "industry-leading anti-fraud measures" that block transactions that appear suspicious and that the service also uses "anomaly detection techniques through machine learning to track patterns of criminal activity".

:: Watchdog will broadcast on BBC One at 8pm on Wednesday November 23.