Ride-hailing apps are currently in vogue now, there are countless small to large startups that are providing apps such as Uber and Lyft that are able to access confidential personal information on a daily basis. Users of these apps are required to provide explicit personal details about their whereabouts and destinations, which is nothing out of the ordinary as this is required for fulfillment of the service. However, it becomes the responsibility of the company to safeguard user’s private information and keep it private, and if it doesn’t happen then, the users will be in great danger.
The same has happened with Fasten, a Boston based ride-hailing service provider firm. According to the findings of Kromtech Security Center researchers, there is a misconfigured Apache Hive database containing data of Fasten customers and offers public access to the information. It is worth noting that Fasten covers two key markets in the US namely Austin, Texas and Boston, Massachusetts and reportedly, about 50% of Boston’s and 90% of Austin’s travelers use its service primarily because the company offers comparatively lower rates than its competitors.
As per Kromtech Security, the misconfigured server was left unsecured, which is why not only end-users but anyone with an internet connection could access the internal data, driver records, customer records and similar confidential data of Fasten. Researchers assessed that customer data of nearly 1 million users on the Fasten mobile app, thousands of driver profiles, the unique 15 digit IMEI code of mobiles where its app is installed, email IDs, picture links, phone numbers, names and the last 4 digits of customers’ debit/credit cards have been exposed. The data also included taxi routes, driver notes and location coordinates, drivers’ car registration information, details about license plates and links to pictures of the vehicles too.
Researchers noted that soon after they notified Fasten about the database, the company quickly secure the data and removed the database from public access. Gizmodo, on the other hand, revealed that out of a sample of five thousand rides, nearly 6% were directly linked to the Austin Convention Center’s GPS coordinates and if the entire database is analyzed, then it may contain data of over 16,000 SXSW related rides. It must be noted that Fasten was the official service at this year’s South By Southwest festival, which was held in Austin since Uber and Lyft were officially banned at that timeframe in Austin.
Fasten’s Corporate Communications head Jennifer Borgan stated that this database was created on 11th October and that it didn’t contain sensitive customer and driver data. Borgan further explained that the database was open for 48 hours before its deletion. The company has vowed to take necessary steps for updating its security protocols to ensure that such incidents never occur.
“We have already taken steps to update our security protocols to ensure this does not happen again. In this instance, old production data was uploaded to the test cluster by mistake. Going forward, these processes will be managed only by security engineers with specific expertise in this area,” stated Borgan.
Fasten claims that the data although was exposed for 48 hours but there is no evidence that someone accessed it. Kromtech’s chief communications officer Bob Diachenko stats that the database has exposed about a year’s worth of data related to customer pick-up and drop-off points. He further stated that such massive data exposure could prove to be devastating for the company and the users because cybercriminals may use it to monitor everyday activities of individuals and spy upon them.
Therefore, Diachenko believes that this breach must be taken as a warning and “wake up call” by the ride-hailing industry as these operate successfully due to the data they receive from customers. If users feel that their shared information might get exposed, then they will avoid using their services.