Ride Hailing Service Exposed Info on 1 Million Customers Online
The Kromtech Security Center researchers have discovered a misconfigured Apache Hive database with public access that appears to contain data from Fasten, the Boston based ride-hailing company.
Currently, Fasten only operates in two US markets Austin, Texas and Boston, Massachusetts. According to Fasten, about 50% of Bostons ridesharing drivers and 90% of those in Austin use their service. They claim that their fares for passengers are also lower than those of competitors and are fixed rates. The populations of greater Boston (8 million) and the Austin area (2 million) would still be a good testing ground for any company to launch their services.
The server was left open for end-user access and this also let anyone with an internet connection access Fastens internal data, customer records, driver records, and more.
Customer data on an estimated 1 million users of the Fasten mobile app
Detailed driver profiles on several thousand of Fastens drivers
Emails / names / links to photos / phone numbers /
IMEI / Every phone has a unique 15 digit code, called an IMEI number
Taxi routes / coordinates / notes about drivers (good and bad)
4 last digits of customers payment info Debit and Credit Cards
Drivers car registration info and license plate details
Links to photos of the cars driven cars
Shortly after we reported about the incident by following responsible disclosure policy, database has been taken offline.
According to Jennifer Borgan, Head of Corporate Communications at Fasten, "the database was actually created on October 11th. But, it did not contain the sensitive customer and driver information at that time. That data was uploaded by one of our developers several days later, and we can confirm it was exposed for a total period of 48 hours prior to deletion".
"We have already taken steps to update our security protocols to ensure this does not happen again. In this instance, old production data was uploaded to the test cluster by mistake. Going forward, these processes will be managed only by security engineers with specific expertise in this area", she added.
When it comes to ride-hailing apps Uber and Lyft are household names, but there are a few other companies looking to capture some of their market share. It is estimated that the ride-hailing market will be worth $276 Billion USD by 2025 and it is easy to see why companies are scrambling to get a piece of the market. These are some big estimates and experts believe that ride-hailing will grow to be five times the size of the taxi market. Thanks to technology, smart phones, and apps getting a ride has never been easier. The downside is that when you share your data and payment information with any application you increase the risks of it being exposed.
Traditional taxi services have long had a monopoly over transportation services and it is now clear now just how much impact the ride-sharing apps have had on the industry. Taxis were strictly regulated and not to mention extremely expensive. Boston for example limited the number of taxi medallions (i.e. the permit to own or lease a cab) at 1,825. When they did this the taxi market was worth over $1.2 billion and the price to buy a taxi medallion was as high as $700K USD and now sell for $180,000. New York Citys Taxi Medallions were once worth $1.3 million and in 2017 they have dropped to as low as $241,000 less than one-fifth of what the cab-ownership tags were once sold for just a few years ago. Cities and states are now trying to tax ride-hailing companies to get back the lost revenue and save the crashing taxi industry.
Fastens chairman Evgeny Lvov has experience in the Russian transportation industry where he ran a car service called Saturn for 17 years. Fasten was launched in 2014 and according to the US Securities and Exchange Commission Form D filing Forms total offering amount was $9,150,000 USD and there are conflicting news articles on whether this money was put up by Majority Shareholder Evgeny Lvov or Russian based Almaz Capital.
According to americaninno.com the $15 Million in funding came from Almaz Capital and UFG Capital and their goal was to challenge Uber and Lyft. Fasten is listed as a Delaware Corporation, but lists their headquarters in Boston Massachusetts. The address comes up as “WeWork South Station” a coworking space and temporary office rental company. In their markets, they offer competition for the industry leaders Uber and Lyft. Unfortunately, Kromtech researchers found the customer and driver records publically available.
In 2014 Uber revealed that data on as many as 50,000 of its drivers had been accessed by an Internet address possibly associated with rival Lyft's technology chief Chris Lambert. This is a wakeup call for an industry that depends on data to take every possible step to protect the data of their drivers and customers. It is important to audit servers and web-based storage repositories to prevent public access and ensure the data is secure.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org