Over one million users' personal and financial data was inadvertently publicly exposed by US-based ride hailing firm Fasten. The leaked data includes names, emails, phone numbers, credit card data, links to photos, device IMEI numbers, GPS data and users' taxi routes.
The firm also exposed sensitive information of its own drivers, including drivers' car registration and license plate records as well as detailed individual profiles. According to Kromtech security researchers, who uncovered the breach, the data exposure was caused by an unsecured Apache Hive database.
Fasten currently operates in Austin, Texas and Boston, Massachusetts. Earlier in the year, Fasten was the official ride-hailing service of the year at SXSW. The festival attracts numerous VIPs, tech firm executives, musicians, journalists and filmmakers, among others. Many of SXSW attendees were likely driven by Fasten as Uber and Lyft remained temporarily banned for failing to comply with a law that required their drivers' fingerprints to be checked through an FBI database.
Fasten confirmed that the data was left exposed for 48 hours before it was secured. "The database was actually created on October 11th. But, it did not contain the sensitive customer and driver information at that time. That data was uploaded by one of our developers several days later, and we can confirm it was exposed for a total period of 48 hours prior to deletion," Fasten corporate communications head Jennifer Borgan said in a statement.
"We have already taken steps to update our security protocols to ensure this does not happen again. In this instance, old production data was uploaded to the test cluster by mistake. Going forward, these processes will be managed only by security engineers with specific expertise in this area," Borgan added.
Fasten told Gizmodo that the data was not accessed by anyone else, apart from Kromtech security experts. Bob Diachenko, Kromtech's chief communications officer, said that the security firm had also discovered that around a year's worth of information on customer pick-up and drop-off points was also leaked.
In the hands of hackers, this kind of massive data exposure could result in devastating attacks. Cybercriminals could use such data to comprehensively spy on people, monitoring everyday routine and activities. According to Diachenko, this breach serves as a "wake up call" for the ride-hailing service industry, which depends on data to operate successfully.