Fasten Inadvertently Leaks 1 Million Users’ Sensitive Data

Fasten Inadvertently Leaks 1 Million Users' Sensitive Data

Currently operating out of Austin, Texas, and Boston, Massachusetts, Fasten was the official ride-hailing service at South by South West (SXSW) earlier this year.

The personal and financial information of over one million Fasten users was inadvertently exposed publically. Fasten is a US-based ride-hailing firm. Among the leaked data are the names, emails addressed and phone numbers of users. Credit card data, photos, and device IMEI numbers were also leaked along with GPS information and taxi routes of Fasten users.

Fasten also exposed the “sensitive” information of its own drivers during the leak. This included registration and license plate records along with detailed individual profiles. According to security researchers from Kromtech, the data exposure was caused by an unprotected Apache Hive database. Kromtech researchers were the ones who uncovered the data breach.

Currently operating out of Austin, Texas, and Boston, Massachusetts, Fasten was the official ride-hailing service at South by South West (SXSW) earlier this year. The festival is frequented by a number of VIPS’ including tech firm executives and musicians. This year several journalists and filmmakers were also among the attendees. The majority of SXSW attendees were driven by Fasten. This was because Uber and Lyft were temporarily banned for reportedly not complying with locals’ laws.

Under the new laws, the fingerprints of ride-hailing service drivers must be run through the FBI’s database. Officials from Fasten confirmed that the sensitive data was left exposed for up to 48 hours before it could be secured. According to Fasten corporate communications head Jennifer Borgan the database was actually created on October 11.

She said at the time it was created, the database did not contain the sensitive customer and driver information which was left exposed. Borgan confirmed that the data was uploaded by a Fasten developer a few days later. “We can confirm that the data was exposed for 48 hours prior to its deletion,” she said. According to the firm, steps have already been taken to upgrade security protocols and to ensure a similar leak does not happen.

Borgan explained that old production data was uploaded “to the test cluster” by mistake. She said that going forward data uploads would only be managed by security engineers who have specific expertise in the designated area. Experts from Fasten reported that the sensitive data was not accessed by anyone else during the time of its exposure, apart from security experts at Kromtech.

Kromtech’s chief communications officer, Bob Diachenko, has said it was discovered by the security firm that approximately a year’s worth of information relating to customer pick-up and drop-off points was among the data leaked. This sort of massive data exposure could have devastating results if it should have fallen into the hands of hackers.

Cybercriminals could use information such as that which was leaked to comprehensively spy on people by monitoring their everyday routines and activities. According to Diachenko, the breach should serve as a wake-up call for the ride-hailing services. These services depend on sensitive data to operate successfully.