Ride-hailing apps such as Uber, Lyft and countless smaller startups are afforded access to information you might prefer other people didn’t know. In most cases, you’re providing explicit details concerning your whereabouts, as well as your destination. As long as that data stays private, it’s all gravy: You safely get home from the bar, the driver and service get paid, and no-one needs to talk about why you were out at 2AM on school night. But what if anyone – strangers, exes, coworkers, your boss – could find out where you’ve been? What if they knew your routine? Would you care?
Consider this a cautionary tale: Fasten, a ride-sharing company whose app is primarily used in the Boston area, was forced into action last month after one its servers, which contained an abundance of personal and location data about its customers, began to leak online. The company has confirmed that it was notified late last month of a potential data breach. Kromtech, the security firm that discovered the files and contacted Fasten to secure the breach, believes as many as one million customers may have been exposed, however briefly.
Among the data viewed by a security researcher were the names, email addresses and phone numbers of customers, as well as links to their photos. The last four digits of the customers’ credit cards or email addresses associated with their PayPal accounts were also included. Moreover, the car registration information and licence plate details of Fasten’s drivers were discovered in the cache, sitting online, without the protection of a password.
“On October 24, 2017, we were informed by Kromtech Security that one of our databases containing limited amounts of non-sensitive data about some of our drivers and riders was accessible to the public,” a Fasten spokesperson told Gizmodo.
The data was only poachable for about 48 hours in mid-October, the company said. An internal investigation determined that no one but the security researcher who discovered the data had accessed it. “Accordingly, we are not aware of and have no reason to believe that anyone’s information has been misused in any way,” Fasten said.
Kromtech security officer Bob Diachenko told Gizmodo that, in addition to IMEI numbers – 15 digits used to uniquely identify mobile phones and other consumer devices – a wealth of location information was leaked, albeit temporarily, including nearly a year’s worth of customer pick-up and drop-off points.
IMEI numbers (not to be confused with IMSI numbers) are tied to devices and not users; so in the span of things, it isn’t too concerning. While they can be useful to law enforcement for tracking a suspect’s movements, they are ultimately rendered obsolete as an identifier every time you purchase a new phone.
Notably, Fasten was the official ride-hailing service of this year’s South By Southwest (SXSW) festival in Austin, where tens of thousands of people gather each March to listen to music, eat food from trucks, and catch talks featuring tech CEOs and other supposedly important people. The year’s SXSW festival happened to overlap with a period in which Uber and Lyft were temporarily banned in Austin for refusing to comply with a law that would have required its drivers’ fingerprints to be checked against an FBI database.
Fasten, therefore, reigned over SXSW and reportedly gained a lot of traction from swarms of desperate festival-goers: Tech company executives, filmmakers, journalists (including two current Gizmodo reporters), musicians, assorted VIPs, and all the other usual suspects.
Fasten’s data would provide tracking for potentially every trip these folks made, to and from bars, hotels, restaurants, probably a few strip clubs, and all of the other delightful venues Austin has to offer.
Kromtech said it was able to confirm that, out of a sample of 5000 rides, roughly six per cent were tied directly to the GPS coordinates of the Austin Convention Center, where the festival is centred. If indicative of the entire dataset, then, potentially, as many as 16,000 SXSW-related rides may have been included. And that doesn’t account for rides between other points in the city.
During a cursory glance at the data, Kromtech noticed the profile of a tech company CEO as well as an executive from a widely read publication.
“As noted, we took immediate steps to secure the database and to prevent similar incidents from happening in the future,” said the Fasten spokesperson, adding it was now working with a “leading third party advisor” to evaluate the integrity of its systems. The company is reviewing is also reviewing its policies and procedures to help “safeguard the protection of our drivers’ and customers’ personal data”.
Although most go unreported, security researchers unearth many similar exposures on nearly a daily basis. Gizmodo was able to confirm that Fasten reacted swiftly to secure its customer and employee data after learning one of its production databases had been exposed. And unlike many companies, it was communicative with the data breach hunter who reached out to provide assistance.