UK users of an app that offers local cleaners and handymen for hire have been warned of a ‘cybersecurity incident’ and urged to review their password used on other sites.
California-based company TaskRabbit, owned by Swedish furniture giant IKEA, has taken its app and website offline while it works with IT experts and police to determine what has happened.
This means app users are unable to access their accounts, leaving them and the service professionals (called ‘taskers’ in the app) they’ve hired for upcoming tasks in limbo.
The app currently operates in four UK locations – Birmingham, Bristol, London and Manchester – athough it’s not yet clear how many UK customers or taskers are affected or what information may have been breached.
For more information on your rights and what you can do when your data has or may have been breached, see our data breach survival guide.
What did TaskRabbit say?
In a late-night email to UK customers on Monday 16 April, TaskRabbit said:
‘TaskRabbit is currently investigating a cybersecurity incident. We understand how important your personal information is and are working with an outside cybersecurity firm and law enforcement to determine the specifics. In the meantime, the app and the website are offline while our team works on this.
‘We will be back in contact with you with more information once we have it. As an immediate precaution, if you used the same password on other sites or apps as you did for TaskRabbit, we recommend you change those now.
‘If you have any questions in the meantime, please reply to this email.
‘Thank you for your patience while we investigate the issue and for being such an important part of our community.’
I use TaskRabbit – how can I stay secure?
If you use TaskRabbit, you won’t currently be able to change your password or access your personal information on the app as it has been taken offline temporarily.
However, if you use the same or similar passwords on other sites, TaskRabbit is urging you to change these to new, unique passwords immediately.
This suggests that TaskRabbit has not ruled out that some passwords may have been unlawfully accessed during the cybersecurity incident.
TaskRabbit customer accounts contain the following information:
- Email address
- Phone number
- Partial credit/debit card number
- Purchase history
- Private messages between customers and taskers.
My booking has been affected – what are my rights?
TaskRabbit customers whose appointments have been affected will be able to reschedule once the app is back up, although it’s not clear when that will be.
For service providers, it has also vowed to ‘appropriately compensate’ those who couldn’t attend their appointment yesterday or today because the app was down.
You can find out more about what TaskRabbit has said it will do on it’s account security update page.
Which? contacted TaskRabbit to seek further details on the incident and plans for compensation. However it simply provided a statement saying it ‘regrets any inconvenience’ to users and ‘will communicate additional details as they become available’.
Data regulator, the Information Commissioner’s Office (ICO), has said: ‘We are aware of a potential data breach in relation to TaskRabbit and are looking into this.’
Find out more about the new GDPR rules, coming into force in May 2018, to give you better powers to stop your information being used, stop unwanted direct marketing and understand companies’ responsibilities.