GrubHub Data Breach Exposes Corporate Negligence on a Massive Scale
A federal class action lawsuit filed in January 2026 accuses GrubHub Holdings, Inc. of knowingly storing the most sensitive personal data of hundreds of thousands of customers and workers in systems too weak to protect it, then waiting months before telling anyone their information had been stolen.
The Non-Financial Ledger
Brian Bianchi worked for GrubHub. He gave them his Social Security number because he had to. You don’t get a paycheck without it. You don’t get onboarded without handing over your driver’s license, your address, your date of birth. These aren’t things you volunteer casually. They’re things you surrender because the employer holds the power and you need the job.
He trusted them with that information. Not enthusiastically. Not with any illusion that GrubHub cared about him as a person. But with the basic, reasonable expectation that a billion-dollar corporation running a nationally known platform would at least keep his Social Security number somewhere a criminal couldn’t easily reach it. That expectation turned out to be wrong.
When the breach happened in January 2025, Bianchi didn’t know. Nobody told him. He went about his life, unaware that somewhere in the digital underground, people were potentially buying and selling his identity, his insurance information, his home address. The lawsuit makes this point with a particular kind of brutality: he “was unaware of the Data Breach until the notice was published.” That notice came out February 3, 2025. Between the breach and the notice, an undisclosed amount of time passed in which victims had no ability to act.
After the notice, Bianchi’s time became GrubHub’s problem to solve. He spent hours verifying whether the breach was real. Hours researching credit monitoring services. Hours checking his accounts obsessively for signs of fraud. Hours consulting an attorney. These are hours he will never get back, hours stolen from his life by a company that apparently couldn’t be bothered to encrypt his data properly.
The anxiety described in this lawsuit is documented injury. The complaint specifically names “increased anxiety for loss of privacy” and “anxiety over the impact of cybercriminals accessing, using, and selling their PII and financial information” as harms suffered. This isn’t abstract legal language. This is the specific psychological condition of knowing that strangers have your Social Security number, your home address, and the details of your vehicle insurance, and having absolutely no idea what they’re doing with it, or when they’ll use it.
For former employees like Bianchi, this sting is compounded by the nature of their relationship with GrubHub. They didn’t choose to hand over this data to get a burrito delivered. They handed it over to earn a living. Their most sensitive identifying information was a condition of employment, collected by the company as a bureaucratic necessity, and then left sitting in systems that, according to the lawsuit, lacked proper encryption, monitoring, and oversight. The transaction was compulsory. The betrayal was preventable.
The victims of this breach now face a threat that does not expire. Social Security numbers don’t change. A credit card number gets replaced when fraud hits. Your SSN follows you for life. The GAO study cited in this complaint puts it plainly: fraudulent use of stolen identity information “may continue for years.” GrubHub’s failure is not a single event in the past. For the people affected, it is an ongoing condition, a permanent reduction in the security of their identity, caused by a company that had the resources to do better and chose not to.
— Class Action Complaint, Case No. 1:26-cv-00671
Legal Receipts
These are direct quotes from the filed complaint, Case No. 1:26-cv-00671. Nothing below has been paraphrased or invented.
“Defendant disregarded the rights of Plaintiff and Class Members by intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that Plaintiff’s and Class Members’ PII and financial information was safeguarded, failing to take available steps to prevent unauthorized disclosure of data, and failing to follow applicable, required and appropriate protocols, policies and procedures regarding the encryption of data, even for internal use.”
— Complaint ¶8
- This paragraph establishes that the failure to encrypt was not an oversight. The complaint frames it as intentional, willful, reckless, or negligent, all of which carry legal weight, and specifies that the encryption failure extended even to internal data use, meaning GrubHub’s own employees could access unprotected sensitive data.
- The phrase “even for internal use” is significant. It indicates that proper encryption was not just absent at the network perimeter but was absent inside GrubHub’s own systems, making it easier for criminals, once inside, to access everything without additional barriers.
“Not until after months it claims to have discovered the Data Breach did Defendant begin sending the Notice to persons whose PII and financial information Defendant confirmed was potentially compromised as a result of the Data Breach.”
— Complaint ¶45
- GrubHub’s own breach notice, dated February 3, 2025, states the company learned of the breach in January 2025. The complaint’s language “months it claims to have discovered” directly challenges the company’s timeline and implies the delay between internal discovery and victim notification was unacceptably long.
- Every day of that delay was a day victims could not freeze their credit, monitor their accounts, or alert financial institutions. The legal standard the complaint invokes requires prompt notification, not notification after an internal review process of undisclosed length.
“Plaintiff and Class Members are, thus, left to speculate as to where their PII ended up, who has used it, and for what potentially nefarious purposes, and are left to further speculate as to the full impact of the Data Breach and how exactly Defendant intends to enhance its information security systems and monitoring capabilities to prevent further breaches.”
— Complaint ¶51
- This directly documents GrubHub’s ongoing failure to communicate. Even after the February 2025 notice, victims still do not know what malware was used, what specific records were accessed, or what post-breach security changes GrubHub actually implemented.
- The word “speculate” is doing important legal work here. It establishes that GrubHub’s communications were insufficient to allow victims to make informed decisions about protecting themselves, which is a violation of disclosure obligations under multiple state and federal frameworks.
“[L]aw enforcement officials told us that in some cases, stolen data might be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.”
— U.S. Government Accountability Office, cited in Complaint ¶76
- The inclusion of this GAO finding establishes that the harm from GrubHub’s breach is not limited to what victims can document today. Criminals may be warehousing the stolen data to use it later, meaning victims face years of elevated risk with no definitive end date.
- This finding also legally supports future damages claims. Courts have used the ongoing, open-ended nature of identity theft harm to justify standing even when victims haven’t yet experienced documented fraud.
“Defendant was aware, or should have been aware, that reasonable patients and consumers would have wanted their PII and financial information kept secure and would not have contracted with Defendant, directly or indirectly, had they known that Defendant’s information systems were sub-standard for that purpose.”
— Complaint ¶126
- This is the unjust enrichment argument in plain language. GrubHub collected money and labor from people who believed their data was being protected. If those people had known the security was substandard, they would not have used the platform or accepted employment. GrubHub profited from a false impression it allowed to persist.
- The use of “patients” in this paragraph from a food delivery lawsuit is a notable slip or deliberate inclusion. It suggests either a templated complaint or that GrubHub’s data handling extended into health-adjacent contexts not fully described in the public filing.
— Complaint ¶63, citing FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)
Societal Impact Mapping
Public Health
The harms documented in this breach extend into mental and social well-being. The complaint explicitly names psychological injuries as legally cognizable damages.
- Plaintiff Brian Bianchi experienced documented “increased anxiety” and “anxiety over the impact of cybercriminals accessing, using, and selling their PII and financial information,” injuries that the lawsuit treats as real, compensable harm, not background noise.
- The chronic stress of living with exposed Social Security numbers and financial data has no defined endpoint. The GAO research cited in the complaint confirms fraudulent activity can extend for years, meaning victims carry this psychological burden indefinitely.
- Victims face the documented psychological burden of hypervigilance: constantly monitoring accounts, scrutinizing every financial transaction, and living with the knowledge that their most sensitive information is out of their control. This is a recognized form of ongoing harm in data breach litigation.
- The complaint documents “loss of privacy” as a specific injury. The loss of control over one’s own personal information erodes the sense of autonomy and security that people depend on for basic psychological stability.
- Delivery workers and gig economy employees, a population already characterized by economic precarity and limited access to mental health resources, are among the victims. The stress of an identity breach compounds the existing pressures on this workforce without any additional support from the company that caused it.
Economic Inequality
The financial fallout from this breach does not land equally. The people harmed most are those with the fewest resources to absorb it.
- The complaint documents out-of-pocket expenses for “prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII and financial information.” Credit monitoring services, identity theft insurance, and legal consultations all cost money, money that victims pay because GrubHub failed them.
- Gig workers and delivery drivers, who likely make up a significant portion of the affected class, already face wage instability, lack of traditional employee benefits, and thin financial margins. A tax return filed fraudulently in their name, a bank account drained through identity theft, or a fraudulent loan taken out in their name could be financially devastating in ways that would be merely inconvenient to a wealthier person.
- Dark web pricing cited in the complaint, $40 to $200 per stolen identity package and $999 to $4,995 for entire breach databases, reveals an economy of harm that profits criminals while imposing costs entirely on victims. GrubHub created this product through negligence and received none of the cost.
- The complaint documents “lost work time” and “lost opportunity costs” as documented damages. Every hour a victim spends managing this breach is an hour they cannot spend earning income, particularly damaging for hourly and gig workers who are paid only for time actively worked.
- The harm is asymmetric. GrubHub continues to operate and profit. Its leadership faces no personal financial exposure. The victims, many of them lower-income gig workers and food delivery customers, absorb years of risk and mitigation costs with no guarantee of meaningful compensation from this lawsuit.
- The complaint frames future costs as extending “for the remainder of the lives of Plaintiff and Class Members.” This is not hyperbole. Social Security numbers do not expire. The breach created a permanent elevation of financial risk for every person affected.
The “Cost of a Life” Metric
The maximum price a criminal pays on dark web markets to purchase access to an entire company’s breach database, including one like GrubHub’s containing Social Security numbers, home addresses, driver’s license numbers, and vehicle insurance data for tens to hundreds of thousands of people.
For less than the cost of a used car, criminals can buy the complete identity package of every person GrubHub failed to protect. GrubHub spent nothing on adequate encryption. Criminals spend almost nothing to profit from that choice.
The maximum dark web price for a single stolen personal identity package: the price a criminal pays for your name, Social Security number, and identifying data. A GrubHub delivery driver who makes $15 per hour hands over information worth $200 to a criminal, in exchange for a job that GrubHub allegedly failed to protect them while holding.
The worker produced the labor. GrubHub captured the relationship and the data. The criminal captures the identity. The worker pays the lifetime cost.
What Now?
GrubHub Holdings, Inc., a Delaware corporation headquartered at 111 W. Washington St., Suite 2100, Chicago, Illinois 60602, is the named defendant. The complaint does not name individual executives, so corporate roles are listed where applicable. The case is before the U.S. District Court for the Northern District of Illinois, Case No. 1:26-cv-00671.
Key Corporate Roles to Watch
- GrubHub Holdings, Inc., Chief Executive Officer: The individual accountable for the company’s data security culture and resource allocation decisions that preceded this breach.
- GrubHub Holdings, Inc., Chief Information Security Officer (CISO): The individual directly responsible for the encryption policies, monitoring systems, and incident response protocols that the complaint alleges were inadequate or absent.
- GrubHub Holdings, Inc., General Counsel: The individual responsible for the company’s legal compliance with FTC Act obligations and state data breach notification laws, including the timing of the February 3, 2025 notice.
- GrubHub Holdings, Inc., Board of Directors: The governing body responsible for oversight of enterprise risk, including cybersecurity risk. Their awareness of and response to this breach is a material governance question.
Watchlist: Regulatory Bodies
- Federal Trade Commission (FTC): Has direct statutory authority under the FTC Act (15 U.S.C. § 45) to pursue GrubHub for “unfair or deceptive acts or practices.” The precedent cited in the complaint, FTC v. Wyndham Worldwide Corp., confirms the FTC has successfully prosecuted companies for inadequate data security before. File a complaint at ftc.gov/complaint.
- Illinois Attorney General: GrubHub is headquartered in Illinois and the plaintiff is an Illinois resident. Illinois has state-level data breach notification laws and consumer protection authority. The AG’s office can pursue enforcement independent of the federal lawsuit.
- Consumer Financial Protection Bureau (CFPB): Financial information was part of the stolen data. The CFPB has authority over companies that collect and mishandle consumer financial data. File a complaint at consumerfinance.gov/complaint.
- Department of Justice (DOJ), Cybercrime Division: The criminal intrusion itself is a federal crime. Victims can report cybercrime to the FBI’s Internet Crime Complaint Center at ic3.gov.
If You Think You’re Affected: Immediate Steps
- Freeze your credit at all three bureaus immediately: Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com). A credit freeze is free and prevents new accounts from being opened in your name. This is the single most effective tool you have.
- File an IRS Identity Protection PIN request: With Social Security numbers potentially exposed, the most likely near-term fraud is a fraudulent tax refund filed in your name before you file your own return. An IP PIN from the IRS blocks this. Apply at irs.gov/identity-theft-central.
- Monitor your Social Security earnings record: Create an account at ssa.gov and check annually for unauthorized employment entries that could indicate someone is working under your SSN.
- Contact ClassAction.org: This complaint was indexed at ClassAction.org. If you are a current or former GrubHub employee or customer who received a breach notice or believes you were affected, visiting classaction.org may connect you with the legal process.
- Organize with other gig workers: The gig economy’s power imbalance is what made employees like Bianchi compelled to hand over this data in the first place. Groups like the Gig Workers Collective (gigworkerscollective.org) advocate for gig worker rights, including data rights. If you are a delivery driver or platform worker, connecting with organized worker groups is a direct form of resistance against the conditions that made this breach possible.
- Demand transparency from GrubHub directly: The complaint documents that GrubHub still has not told victims what malware was used or what data was specifically taken. Contact GrubHub’s customer support and, in writing, demand a full accounting of what information of yours was accessed, retained, and potentially exposed.
The source document for this investigation is attached below.
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →Related posts:
Netgain: How Corporate Greed Exposed Millions of People’s Private Data
An In-Depth Analysis of the AT&T Data Breaches and the Resulting $177 Million Class Action Settlement
Premium Mortgage Data Breach Exposed 10,835 Customers for Eight Days
Nearly 21,000 people had their Social Security numbers stolen from Saratoga Harness Racing.
