Grant West got hold of personal data of 165,000 Just Eat users over five months
A cyber criminal yesterday admitted touting the personal details of 165,000 Just Eat customers for sale on the dark web for use in a ‘phishing’ scam.
Grant West, 25, who lived in a caravan in Minster-on-Sea, Kent, used usernames and passwords stolen from third parties to access customer accounts.
The scam over a five-month period between July and December 2015 left Just Eat with a bill of around £210,000 in mitigation costs.
Similar attacks were launched against firms including Sainsbury’s, Groupon, Uber, T-Mobile and Argos between August and September this year – after West was bailed.
West tried to get customers’ ‘Fullz’ – typically made up of names, addresses, email addresses, passwords and credit card CVV numbers – which could then be sold.
He pleaded guilty at Southwark Crown Court to conspiracy to defraud Just Eat and its customers along with a string of other charges related to his dark web shop.
Grant West obtained personal data of 165,000 users of Just Eat (file image) over five months
A hacking charge states West launched ‘brute force’ attacks against 17 different websites using specialist software in a bid to obtain personal information.
Companies attacked included Asda, bookmakers Ladbrokes and Coral. Other targets included Nectar.
West, who used the online identity ‘Courvoisier’, also sold cannabis, which was delivered to customers. Much of his business was carried out using Bitcoins.
In May, he denied conspiring to defraud Just Eat and was released on bail, but continued his illicit online trade.
Police found around £25,000 in cash, along with hundreds of grams of cannabis, when they searched his property in August and September this year.
He appeared in the dock wearing a grey tracksuit and tapped his fingers as if he was typing on an imaginary keyboard.
His barrister, Anna Mackenzie, stood close by as he entered guilty pleas to ten charges.
West pleaded guilty at Southwark Crown Court (above) in London to conspiracy to defraud
West admitted two counts of conspiracy to defraud, one charge of computer hacking, four charges relating to the possession and supply of cannabis, two counts of possessing criminal property and one count of money laundering Bitcoins.
Judge Joanna Korner QC remanded him in custody and adjourned his sentencing to a later date.
After the case, a Just Eat spokesman said: ‘We were made aware of a phishing scam which took place in 2015 and at the time took steps to mitigate this.
‘This particular attack affected both Just Eat customers and non-customers. At no point were Just Eat systems compromised or breached.
‘Protecting our brand and our customers from online fraud is of utmost importance to us. We have a dedicated information security team.
‘We do not store customer card details on our website or app and all payments are managed securely by an independent, external payment service provider.’