KARACHI – Foodpanda, which partners with hundreds of restaurants across Pakistan, may have accidentally left sensitive vendor information completely open online.
AI solutions architect found problem while testing a tool to analyze restaurant data like pricing, delivery times, and cuisines. The expert discovered an unsecured public API endpoint—pandora/vendors?country=pk—that required no login and had no limits on access. The data it exposed is deeply concerning, including:
- Exact restaurant locations
- Types of cuisine
- Delivery fees
- Owner phone numbers and contact details
- Vendor performance metrics
“This isn’t just a technical flaw, it’s a massive privacy failure,” Khan warned. “Malicious actors could exploit this data to target restaurant owners directly. Even new delivery services could use it to poach vendors or craft precise marketing strategies without starting from scratch.”
Experts say the leak highlights a dangerous trend: tech companies racing to adopt AI and digital growth strategies while ignoring basic data security principles. Khan added, “Security isn’t just about firewalls or encryption. It begins with careful design, every piece of data you expose matters.”
Although the dataset has been masked and published on Kaggle for transparency, the breach raises serious questions about Foodpanda Pakistan’s data protection practices. Users and vendors alike could be at risk if such exposures continue.
So far, neither Foodpanda Pakistan nor its parent company, Delivery Hero, has commented on the situation, leaving many to wonder how many other sensitive data points might be sitting unprotected online.
This is wake-up call for the tech industry as even major platforms can make shocking mistakes when it comes to safeguarding private data.
Daily Pakistan reached out to Foodpanda for a comment on the issue but did not receive a response.
