Napier’s The Sushi Club Waits Six Weeks for Money Owed After Uber Eats Account Hacked

Food‑delivery aggregators have become lifelines for independent eateries, especially in regional markets like Napier where dine‑in traffic can be seasonal. When The Sushi Club’s Uber Eats account was compromised in February, the platform froze nearly $3,000 in pending payouts while it investigated the breach. For a small business that relies on weekly cash inflows to cover staff wages, ingredients, and rent, a six‑week payment hold translates into a severe liquidity crunch, forcing the owners to suspend Uber orders and scramble for alternative revenue streams.

The incident exposes a broader weakness in how third‑party platforms authenticate account changes. Scammers obtained the restaurant’s email address, impersonated Uber support, and altered banking details, a tactic that bypasses many two‑factor safeguards. Uber’s later statement about “temporary safeguards” suggests that real‑time verification is not uniformly applied, leaving merchants exposed to social‑engineering attacks. Industry peers such as DoorDash and Deliveroo have begun rolling out mandatory multi‑factor authentication and automated alerts, but adoption remains uneven, highlighting a gap between security promises and operational reality.

Regulators and consumer‑protection agencies are likely to scrutinize these gaps, especially as gig‑economy platforms grow in market share. Restaurants can mitigate risk by maintaining separate business email accounts, regularly reviewing payout settings, and demanding rapid escalation paths from delivery partners. For Uber Eats, improving transparent communication and establishing clear timelines for frozen funds could restore trust and reduce churn among small‑scale partners. Ultimately, stronger security protocols and responsive support will be essential to sustain the symbiotic relationship between aggregators and the local food‑service ecosystem.