Grubhub Class Action Alleges Customer And Driver PII Compromised In 2025 Data Breach—Names, Emails, Payment Card Data Exposed Through Third-Party Hack

ByAll About Lawyer Reading Time: 7 minutes

Grubhub disclosed in February 2025 that hackers accessed customer, driver, and merchant information through a compromised third-party service provider account. The breach exposed names, email addresses, phone numbers, partial payment card information, and hashed passwords for an undisclosed number of users who interacted with Grubhub’s customer care service and Campus Dining platform.

Law firms including Console & Associates are now investigating class action lawsuits against Grubhub for allegedly failing to adequately protect user data and secure third-party vendor access to sensitive systems.

What Information Was Compromised

According to Grubhub’s February 3, 2025 breach notification, hackers accessed different types of personally identifiable information depending on which Grubhub service the affected individual used.

For campus diners using Grubhub’s Campus Dining service—which lets university students pay for food with meal credits—hackers accessed names, email addresses, phone numbers, and partial payment card information including the last four digits of card numbers and card types.

For customers, drivers, and merchants who interacted with Grubhub’s customer care service, hackers accessed names, email addresses, and phone numbers. The investigation also revealed that attackers accessed hashed passwords for certain legacy systems, though Grubhub claims no Grubhub Marketplace account passwords were compromised.

Grubhub stated that Social Security numbers, bank account information, merchant login credentials, and full credit card numbers were not exposed in the breach.

How The Breach Happened

The breach originated when hackers compromised an account belonging to a third-party service provider that provided support services to Grubhub. This contractor account gave the unauthorized party access to Grubhub’s internal systems.

Grubhub detected “unusual activity” in its network in late January 2025. Upon investigation, the company traced the intrusion to the compromised third-party account. Grubhub immediately terminated the account’s access and removed the service provider from its systems entirely.

The company hired external forensic experts to assess the breach’s full scope. As a security measure, Grubhub proactively rotated passwords it believed might have been at risk and deployed additional anomaly detection mechanisms across its internal services.

Why Third-Party Breaches Are So Dangerous

The Grubhub breach highlights a critical vulnerability in modern business operations: supply chain security risks. Companies increasingly rely on third-party vendors, contractors, and service providers who need access to internal systems to perform their jobs.

When these third parties have inadequate security controls or fall victim to phishing attacks, hackers gain a backdoor into the primary company’s systems. The Nelnet Data Breach Class Action Lawsuit $10M Settlement Pays Up To $5,000 Cash—File Your Claim Before March 5, 2026 similarly involved third-party security failures affecting 2.5 million student loan borrowers.

Data protection regulations like the FTC Safeguards Rule and New York Department of Financial Services Cybersecurity Regulation require companies to conduct thorough third-party risk assessments, implement strict access controls, and continuously monitor vendor security practices.

The question class action attorneys will likely pursue: Did Grubhub adequately vet its third-party service provider’s security controls? Did it monitor the provider’s access to ensure compliance with data protection standards? Did it enforce least-privilege access principles limiting what the provider could access?

Who Is Affected And What Class Actions May Allege

While Grubhub hasn’t disclosed the exact number of affected individuals, the breach potentially impacts hundreds of thousands of users given that Grubhub has over 375,000 merchants and 200,000 delivery partners across more than 4,000 U.S. cities.

Anyone who used Grubhub’s Campus Dining service or contacted Grubhub customer care about orders, account issues, or delivery problems may have had their information compromised.

Class action investigations typically allege that companies like Grubhub:

Failed to implement reasonable security measures to protect customer and driver data, including inadequate third-party vendor oversight.

Violated state data breach notification laws by failing to promptly notify affected individuals or provide required information about the breach.

Related Article: JPMorgan Class Action Lawsuit, Alleges Tobacco Surcharges Violate ERISA, What Employees Should Know About the $80 Monthly Charge

Grubhub Class Action Alleges Customer And Driver PII Compromised In 2025 Data Breach—Names, Emails, Payment Card Data Exposed Through Third-Party Hack

Breached implied contract by collecting sensitive information with promises to protect it, then failing to maintain adequate security.

Were negligent in allowing third-party vendors excessive access to sensitive systems without proper controls.

Similar cases like the $4M Numotion Data Breach Data Breach Class Action Settlement Claim Up To $15,000 By March 18, 2026 show how healthcare providers face liability when third-party breaches expose patient data.

What You Should Do Now

If you use Grubhub or work as a Grubhub driver, take these immediate protective steps:

Check for Breach Notifications: Grubhub began notifying affected individuals on February 3, 2025. Check your email (including spam folders) and physical mail for data breach notification letters. These letters detail what specific information was compromised.

Monitor Your Accounts: Watch for fraudulent charges on credit cards you’ve used with Grubhub. Monitor your bank accounts for unauthorized transactions. Review credit card statements carefully for the next 12-24 months.

Change Your Passwords: Even though Grubhub claims Marketplace account passwords weren’t compromised, change your Grubhub password immediately. Use a unique, strong password you don’t use anywhere else. Enable two-factor authentication if available.

Place Fraud Alerts: Contact one of the three credit bureaus (Equifax, Experian, or TransUnion) to place a fraud alert on your credit file. This makes it harder for identity thieves to open accounts in your name.

Consider Credit Freezes: For maximum protection, place security freezes on your credit files with all three bureaus. This prevents anyone from accessing your credit report to open new accounts.

Document Everything: Save your breach notification letter, screenshots of any suspicious activity, and records of time spent responding to the breach. This documentation could support future claims.

Watch for Phishing: Scammers exploit data breaches by sending fake emails pretending to be from Grubhub. Never click links in unexpected emails. Go directly to Grubhub’s official website by typing the URL yourself.

Grubhub’s Pattern Of Legal Issues

This data breach isn’t Grubhub’s first brush with legal trouble. In December 2024, the company agreed to pay $25 million to settle FTC charges that it engaged in unlawful practices including not disclosing full delivery costs, deceiving drivers about earnings, and listing restaurants without their consent.

The FTC settlement demonstrates regulatory scrutiny of Grubhub’s business practices. A data breach compromising user information adds another layer of potential liability for the food delivery giant.

What Compensation May Be Available

While no settlement has been reached yet, typical data breach class actions like the Kaiser Caught Sharing Your Medical Data With Google And Microsoft, Massive $47.5M Settlement Revealed On Kaiser Class Action Lawsuit, Here’s How Much You Could Get provide:

Free Credit Monitoring: One to two years of identity theft protection and credit monitoring services for all class members.

Reimbursement for Documented Losses: Compensation for out-of-pocket expenses related to the breach, including fraudulent charges, credit monitoring costs, identity theft resolution expenses, and time spent responding to the breach.

Pro Rata Cash Payments: Alternative cash payments for class members who didn’t experience documented losses but had their data exposed.

The exact compensation depends on the number of affected individuals, severity of damages, and settlement negotiations.

Frequently Asked Questions

How do I know if I was affected by the Grubhub data breach?

Check for breach notification letters from Grubhub sent starting February 3, 2025. If you used Campus Dining or contacted Grubhub customer care, you may be affected even if you haven’t received a letter yet. Contact Grubhub or the investigating law firms to confirm.

What should I do if I see fraudulent charges?

Report them immediately to your bank or credit card company to dispute the charges. File an identity theft report with the FTC at IdentityTheft.gov. Document all fraudulent activity as evidence for potential class action claims.

Can I still join a class action if I haven’t experienced identity theft yet?

Yes. Most data breach class actions include all individuals whose data was compromised, regardless of whether they’ve experienced fraud yet. The exposure itself creates risk and damages.

How long should I monitor my accounts?

Monitor for at least 12-24 months after the breach. Identity thieves often wait months before using stolen information to avoid immediate detection. Some experts recommend monitoring for up to 5 years.

Will Grubhub offer free credit monitoring?

Grubhub has not publicly announced whether it will provide complimentary credit monitoring to affected individuals. This is often negotiated as part of class action settlements.

What if I closed my Grubhub account years ago?

You’re still affected if your data was in Grubhub’s systems when the breach occurred. Former customers and drivers whose information was accessed can participate in class actions.

How do I join the class action investigation?

Contact law firms investigating the breach, such as Console & Associates. Provide information about when you used Grubhub, whether you received a breach notification, and any damages you’ve suffered.

Last Updated: January 22, 2026

Disclaimer: This article provides informational content only and does not constitute legal advice.

Take action now: If you use Grubhub or work as a driver, secure your accounts immediately, monitor for fraudulent activity, and preserve all breach notification letters as potential evidence for class action claims.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *