Advertisement

Ride-Hailing Service Prominent at SXSW Briefly Exposed Data on as Many as 1 Million Customers

Ride-Hailing Service Prominent at SXSW Briefly Exposed Data on as Many as 1 Million Customers
From Gizmodo - November 10, 2017

Ride-hailing apps like Uber, Lyft, and countless smaller startups are afforded access to information you might prefer other people didnt know. In most cases, youre providing explicit details concerning your whereabouts, as well as your destination. As long as that data stays private, its all gravy: You safely get home from the bar, the driver and service get paid, and no one needs to talk about why you were out at 2am on school night. But what if anyonestrangers, exes, coworkers, your bosscould find out where youve been? What if they knew your routine? Would you care?

Consider this a cautionary tale: Fasten, a ride-sharing company whose app is primarily used in the Boston area was forced into action last month after one its servers, which contained an abundance of personal and location data about its customers, began to leak online. The company has confirmed that it was notified late last month of a potential data breach. Kromtech, the security firm that discovered the files and contacted Fasten to secure the breach, believes as many as 1 million customers may have been exposed, however briefly.

Among the data viewed by a security researcher were the names, email addresses and phone numbers of customers, as well as links to their photos. The last four digits of the customers credit cards or email addresses associated with their PayPal accounts were also included. Moreover, the car registration information and license plate details of Fastens drivers were discovered in the cache, sitting online, without the protection of a password.

On October 24, 2017, we were informed by Kromtech Security that one of our databases containing limited amounts of non-sensitive data about some of our drivers and riders was accessible to the public, a Fasten spokesperson told Gizmodo.

The data was only poachable for about 48 hours in mid-October, the company said. An internal investigation determined that no one but the security researcher who discovered the data had accessed it. Accordingly, we are not aware of and have no reason to believe that anyones information has been misused in any way, Fasten said.

Kromtech security officer Bob Diachenko told Gizmodo that, in addition to IMEI numbers15 digits used to uniquely identify cellphones and other consumer devicesa wealth of location information was leaked, albeit temporarily, including nearly a years worth of customer pick-up and drop-off points.

IMEI numbers (not to be confused with IMSI numbers) are tied to devices and not users; so in the span of things, its not too concerning. While they can be useful to law enforcement for tracking a suspects movements, they are ultimately rendered obsolete as an identifier every time you purchase a new phone.

Advertisement

Continue reading at Gizmodo »