The restaurant name change incident did not affect users' personal data and there is no evidence of a leak or any type of improper access to this database. Safety is priority
For iFood, information security and the protection of personal data are priorities. The way the company obtains, stores, uses, shares and protects the information of users registered in the application - described in its Privacy Statement – is in line with the General Data Protection Law (LGPD), best market practices and financial regulation.
In view of the incident of changing restaurant names, iFood News spoke to Camila Nagano, in charge of the company's privacy program. In addition, we have prepared a question and answer guide to explain, in practice, how this type of issue is handled by the platform.
On the night of November 2nd, iFood identified that approximately 6% of establishments registered on the platform had their names changed. What caused the incident?
The incident was the result of the misuse of the account of an employee of one of the companies that provide customer service to iFood and who had permission to adjust restaurant registration information on the platform. The service provider's access was immediately interrupted, and the names of the restaurants have already been reestablished.
Did the incident involve other data, in addition to the name change displayed on the app?
No. The personal data of users and delivery people were not affected and there is no evidence of a leak or any type of improper access to this database. Nor was there any change or use of the personal data of the owners or managers of the establishments.
And were users' card data affected?
No, as iFood does not store card data. Therefore, it is impossible to leak this type of information. It is worth noting that we follow PCI (Payment Card Industry) standards, required by credit card brands for companies that handle or transact card data, to guarantee the protection of payment information for all people who use iFood services. Additionally, we conduct frequent external audits to ensure we maintain strict security processes and standards.
Still talking about the incident, is there a risk of a card being cloned?
Any cloning would have no relation to the incident because, as indicated in the iFood Privacy Statement, the company does not store card data.
Given what happened, should the user take any extra precautions now?
It is not necessary to delete the account or payment data from the application, as there was no invasion of users' personal or account data. The incident was limited to the establishment's customer service platform, without involving personal data or payment data.
What other measures does iFood take on a daily basis to ensure that users' personal data is safe?
We have several security mechanisms, such as periodic tests and access controls to internal platforms, teams specialized in Security and Protection of Personal Data and technical measures to prevent access, deletion or inappropriate or illicit use of data from iFood users – consumers, establishments and delivery people.
What precautions are recommended in relation to card data and other personal data?
Never provide data or images of your card to friends or acquaintances, much less never disclose sensitive information about your card (name, CVV and validity) or other personal data on social networks, WhatsApp and other public means of communication. Also pay attention, when providing your card to third parties, for the value that appears on the little machine – only then enter the password and complete the transaction. Also, use different passwords on each app or website and never share them with others.
What is the most appropriate channel to deal with card-related issues with iFood?
All communication must be done through the application itself. To do this, simply access the Profile > Help > Payments (questions about payments) buttons.
