A significant data privacy lapse has emerged in Foodpanda Pakistan after an unprotected public API was found to expose sensitive information about restaurant partners. The issue came to light when Amin Ahmed Khan, a local AI solutions architect, was experimenting with an AI tool designed to analyze Foodpanda’s restaurant listings, including pricing, cuisines, ratings, and delivery times. While testing the public API for data extraction, Khan discovered that the endpoint pandora/vendors?country=pk required no authentication and lacked rate limiting, allowing unrestricted access to critical data.
The API reportedly exposed detailed information including restaurant location coordinates, cuisine categories, delivery fees, vendor performance metrics, and owner contact details such as phone numbers. Experts have warned that this level of exposure could pose serious risks to restaurant owners and users of the Foodpanda platform, particularly given the presence of stored card information in the app. According to Khan, the unprotected dataset could allow competitors or malicious actors to target restaurants directly, bypassing normal business acquisition channels, and even design precise marketing strategies using the available information.
While this incident does not constitute a traditional data breach, it highlights negligence in API design and governance. Khan has compiled and shared a masked version of the dataset on Kaggle for transparency, prompting discussions about data handling and platform accountability. Foodpanda’s parent company, Pandora, had previously been alerted to the vulnerability by India-based cybersecurity researcher Palvinder Singh, but the concern was reportedly dismissed at the time. Following Khan’s discovery, Pandora’s CTO reached out requesting removal of the dataset while the matter is investigated, acknowledging that some of the exposed data is necessary for operations but other information may not be.
Foodpanda has issued a statement affirming adherence to privacy and security standards, emphasizing that no data breach has occurred on the platform. The company highlighted its bug bounty program as a proactive measure to encourage security feedback and strengthen data protection for both vendors and users. Despite these assurances, the incident underscores the importance of intentional data design and responsible API management. Industry experts note that overlooking fundamental data hygiene in the rush toward AI-driven growth can erode trust and compromise sensitive information, signaling a need for rigorous review and secure development practices across digital platforms in Pakistan.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
