The account information of roughly 2,180 Instacart shoppers may have been improperly accessed by two third-party support employees, the company said in a blog post.
"As part of our ongoing review of support protocols, we’ve determined that two employees retained by a third-party support vendor we work with may have reviewed more shopper profiles than was necessary in their roles as support agents," the company blog reads.
In addition, Instacart said once it discovered the inconsistency, the company hired a forensic analysis firm to investigate the intrusion. The results of the investigation confirmed that the two contractors viewed a limited set of shopper information that may have included name, email address, telephone number, driver’s license number and a thumbnail image of the driver’s license.
Based on its forensic investigation, no shopper data was stored, downloaded or digitally copied in any way and no customer information or profiles were accessed or affected. according to the company.
Instacart said it has "zero tolerance for anyone who abuses their role and that extends to our third-party vendors" and has coordinated with the unnamed third-party support vendor to ensure the two employees will never work on the platform again. In addition, work with the third-party vendor has been suspended and ceased indefinitely.
The company has notified the 2,180 shoppers who came in contact with the employees and is offering two years of free credit monitoring and protection for those whose information may have been viewed.
"Our top priority is to ensure the safety and security of the entire Instacart community," Instacart said.
The company has teams that perform routine audits and investigations to ensure the integrity of the platform across shopper and customer accounts to quickly identify incidents and act in the best way to best protect the Instacart platform, the company said.
To further protect shoppers on its platform, Instacart will introduce a support process for any shopper who believes they were affected by the contractor's intrusion or anyone who has a security-related question about their account. The company will also expand its two-factor authentication used for all shopper logins.
"This will require shoppers to further verify their identity when changing any information on their account, but we believe it’s an extra step worth taking to help keep shopper information secure," the company said.
The additional security features will be available soon, and shoppers will be notified when they’re able to access them, according to Instacart.
In addition to two-factor authentication, Instacart offers ID verification, where shoppers are prompted to take a photo of themselves periodically to ensure the person matches their photo on file, automatic logouts that will periodically log shoppers out and make them verify their password and identity, and banned device switching, which prevents shoppers from switching between devices in the middle of a batch.
"Maintaining the integrity of our platform is a top priority and we’re committed to ensuring the safety and security of our marketplace for all members of the Instacart community," Instacart added.