Spark, Walmart’s crowdsourcing delivery service, has suffered a cyberattack, with malicious actors accessing the sensitive data of some of its drivers.
The breach, which the company says was most likely a credential stuffing or phishing attack, exposed details of over 200 Spark Driver accounts, Walmart said in a breach notification letter to affected individuals.
“We recently discovered that an unauthorized party accessed a limited number of drivers’ Spark Driver account information through the Spark Driver portal,” Walmart told Cybernews.
The company said it notified law enforcement about the attack and directly reached out to potentially affected individuals.
“To be clear, this is an account takeover event (either through phishing or credential stuffing) – not a hack of Walmart systems,” the US retail giant explained.
According to the company, the attack occurred between early December 2023 and early February 2024, which means that attackers had access to compromised accounts for around two months. The breach notification letter indicated that malicious actors may have personal details of Spark drivers, including:
- Social Security numbers
- Driver’s license numbers
- Dates of birth
- Names
- Contact information (phone numbers, email addresses, mailing address)
The company has reset passwords of the compromised accounts and “implemented an additional knowledge-check mechanism required to access sensitive information in driver profiles.”
Spark drivers whose accounts may have been accessed by attackers will be provided two years of credit monitoring services free of charge.
Spark Driver apps allow individuals to become independent contractors for Walmart. Drivers use their vehicles to deliver groceries, food, home goods, and other produce. The service is available in 3650 cities and all 50 states.
Walmart is among the world’s largest retailers, with revenues exceeding $611 billion in 2023. The company employs over 2.3 million people globally.