A small business in Napier, New Zealand, spent more than a month in financial limbo after a sophisticated impersonation scam left its payment pipeline severed. Penny Leigh, owner of The Sushi Club, found herself waiting six weeks for money owed after her Uber Eats account was hacked, highlighting the precarious nature of the digital bridge between local vendors and global delivery platforms.
The ordeal began in February when Leigh was targeted by scammers posing as Uber representatives. Through a series of deceptive phone calls, the attackers tricked her into revealing the business’s latest email account details. This breach allowed the scammers to infiltrate the account on the afternoon of Monday, February 16, where they promptly altered the banking and account details to redirect order payments into their own pockets.
While the initial breach was corrected quickly, the subsequent “security” response from the tech giant created a secondary crisis for the restaurant. What began as a targeted hack evolved into a bureaucratic stalemate, leaving the business to fulfill orders without receiving the corresponding revenue for weeks.
The Anatomy of the Breach and Recovery
The timeline of the incident reveals a jarring contrast between the speed of the attack and the slowness of the corporate recovery process. Given that Uber Eats typically processes payments on Tuesdays, the timing of the February 16 hack created immediate financial anxiety for Leigh.
Leigh was able to correct the account details quickly, and Uber processed the immediate funds on February 17. Still, the resolution of the hack triggered a standard security protocol that proved devastating for the small business’s cash flow. Following a conversation with an Uber representative, the company placed The Sushi Club’s account on hold to facilitate an internal investigation.
For several weeks following the hold, The Sushi Club continued to operate and fulfill delivery orders, essentially providing a line of credit to the platform. As the investigation dragged on, the amount owed to the business climbed to nearly $3,000.
| Date | Event |
|---|---|
| Feb 16 | Scammers access account and change payment details. |
| Feb 17 | Account details corrected; immediate payments processed. |
| Feb 17+ | Account placed on hold by Uber for investigation; payments cease. |
| March 28 | Uber notifies Leigh that the account is unlocked. |
| March 31 | Final payments scheduled for release. |
Communication Breakdown and Business Impact
The most distressing aspect of the experience for Leigh was not the initial hack, but the subsequent silence from the platform. While she described the initial communication as “really good,” that support vanished once the account was placed on hold. Leigh reported that she attempted to contact every available Uber address to receive an update on the investigation, but her inquiries went unanswered.
The financial strain eventually forced a difficult operational decision. Unable to track when or if the missing funds would be returned, the restaurant stopped taking Uber Eats orders entirely.
“We couldn’t keep using Uber while we weren’t getting paid, and we were unsure whether we were even going to,” Leigh said. “It was really horrible.”
This situation underscores a growing vulnerability for small enterprises relying on third-party delivery ecosystems. When a centralized account is flagged for security, the automated “safeguards” designed to prevent fraud can inadvertently penalize the legitimate business owner, stripping them of their primary revenue stream with little to no human oversight for the duration of the hold.
Uber’s Response and the Path Forward
Uber eventually resolved the matter on Saturday, March 28, informing Leigh that the account had been unlocked and that the withheld payments would be issued the following Tuesday. This concluded a six-week period of instability for the Napier business.
In a statement, an Uber spokesperson emphasized that the company takes reports of account compromise and impersonation scams seriously. The spokesperson added, “We’re sorry to hear about the stress and disruption this incident has caused Penny and The Sushi Club.”
The company defended the apply of “temporary safeguards,” noting that these are implemented when the platform becomes aware of suspicious activity—such as unauthorized access or sudden changes to banking information—to verify account details before funds are released. According to the company, the payments were released once the “required account security steps” were completed.
Despite the trauma of the experience, Leigh indicated that The Sushi Club will continue to partner with the service due to its popularity and the volume of customers it brings to the business. However, the experience has left a lasting sense of insecurity regarding the platform’s resilience against cybercrime.
“I don’t know what we’re going to do if we gain hacked again,” Leigh said.
For other small business owners, this incident serves as a critical reminder of the importance of multi-factor authentication and the risks of “social engineering” scams where attackers pose as corporate support staff. Those seeking to protect their digital storefronts are encouraged to review the CERT NZ guidelines on avoiding phishing and impersonation scams.
The next step for The Sushi Club involves returning to full operational capacity on the platform while implementing stricter internal protocols to handle communications from third-party service providers.
Do you have experience with delivery platform disputes or digital security breaches in your business? Share your thoughts and experiences in the comments below.
