This will be the last comment on this thread from me, but just some answers to questions that were posted, roughly in the order they appear.
Communication with customers: Nothing to say here, but this was poor. We could have done a much better job. The SMS people received was automatic, and was missed in our check list. People were only supposed to receive the email that went out.
Password Reset: This takes someone maybe 30-60sec. Just a link and re-enter passwords, standard security practice currently.
Payment Information: We store payment details as a token, and are PCI compliant, and are audited as such. We do not store customer payment information as anything but a token.
Password reset vs customer communication: I decided to do this as this way we would know we have done everything we can to keep customers safe, which is a nice segway into the next point.
Patterns of attacks we see: We see constant attempts to get into customer accounts through various methods. Most attacks have a user name and password already. They try specific combinations, and are not random - the attackers have lists of emails and passwords(only an issues if people use the same password as talktalk etc). We monitor attempts to login and ip addresses / sessions / device fingerprints etc. This is a game that all online companies face, and our job is to make this harder and harder, while keeping it easy for customers.
Pain to order if you can not access your email: You can order as a guest any time from our website.
Scalper: Restaurants pay us commission, and customers pay the same price as an offline order. If we find an error in prices, we change this immediately or take the restaurant offline.
Card details obtained: This can not happen as we do not have the card details of anyone. Possibly if an account login and password was obtained it could be possible to place an order, similar to most online services. We are making this harder all the time as well, through fingerprinting etc.
Checks and Balances: We are audited twice per year by an external security company. This includes penetration testing, code reviews amongst many other things. We implement all their recommendations as soon as we can. We also follow up to date security practices and try to ensure that we are at the forefront. One of these was to take the action we took today because of the patterns of attacks we see. We are not perfect, but take security very seriously, and try to constantly improve our processes and performance. We will continue this.
I hope this helps. Thanks for all the notes and feedback.