DoorDash Lawsuit Claims Company Failed to Protect Private Info of Customers, Employees and Merchants

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit claims that a 2025 DoorDash data breach was the result of the food delivery platform’s failure to implement reasonable cybersecurity measures to protect the information of users, employees and merchants.

Want to stay in the loop on class action lawsuits that matter to you? Sign up for ClassAction.org’s free weekly newsletter.

According to the 31-page complaint, the DoorDash data breach exposed the names, email addresses, phone numbers and physical addresses of potentially thousands of people. The incident was a direct result of DoorDash neglecting to ensure to encrypt or otherwise secure the personally identifiable information (PII), or destroying data, specifically old data from inquiries and/or customers that the company “had no legal right or responsibility to retain,” the suit claims.

Related Reading: DoorDash, Apple Pay Facing Class Action Lawsuit Over Allegedly Unauthorized DashPass Subscription Charges

The case argues that consumers, employees and merchants alike expect companies such as DoorDash— which require personal details like names, addresses, and contact information to function—to assume “legal and equitable duties” to protect their data and only disclose it under authorized circumstances.

DoorDash is aware, or should have been aware, of the magnitude of information stored on its systems and how that could make the company a unique target for cyberattacks and the subsequent need for protection, the complaint says. However, the company failed to take industry-standard security measures to protect the private data of thousands of individuals and businesses, the lawsuit claims.

The plaintiff, a California resident, is a DoorDash customer who relied on the company to maintain their PII and now, like many other class members, fears that their information may end up on the dark web or in the hands of unauthorized parties for highly targeted marketing.  

Concerns of personal data surveillance are “lasting and severe,” the case contends, because “[o]nce PII is stolen, fraudulent use of that information and damage to victims may continue for years.”  

On November 13, 2025, DoorDash released a statement in a blog post confirming the data breach, whereby an employee fell victim to a social engineering scam and allowed an unauthorized party to access to computer systems. DoorDash stated that names, contact information and addresses of those associated with the company may have been compromised, but no Social Security numbers or payment information were accessed.

The DoorDash data breach lawsuit looks to cover all individuals whose personally identifiable information was accessed and/or obtained by an unauthorized party during the DoorDash data incident.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.