Bus-sharing service users data hit by security breach

Published August 1, 2020
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.  — Online/File
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach. — Online/File

KARACHI: Popular bus-sharing service Swvl has suffered a major security breach that comprised user data, including names, email addresses and phone numbers of over four million customers.

However, new details emerged on Friday, claiming that the data apparently includes partial credit card information and user passwords as well.

According to a company statement published on its website earlier this month, Swvl said it had first become aware of the “unauthorised access” to its system on the evening of July 3.

“The investigation into the breach is still under way, but at this stage it is clear that the data which was compromised is restricted to names, email addresses and phone numbers,” it disclosed.

The company said its investigation had ensured that passwords and credit card information of the users were not affected or exposed.

Swvl did not specify how many users were impacted but said it had logged out all its users from their accounts as a precautionary measure. The company has urged customers to update their account passwords and those of any other accounts with the same or similar passwords and to change their passwords regularly.

“We immediately identified and addressed specific vulnerabilities that our IT infrastructure may have had, ensuring our customers’ data integrity,” it maintained, adding that it had secured the vulnerability in the system and “was confident” that the customer data was now safe.

Swvl is an Egyptian bus transportation network that was founded in April 2017. It operates buses along fixed routes and allows customers to reserve and pay for them using an app, with operations in Egypt, Kenya and Pakistan in the Middle East and North Africa (MENA) and Africa regions.

In Pakistan, Swvl has operations in Karachi, Lahore and Islamabad. In an announcement in November 2019, the company committed $25 million investment to expand its operations in Pakistan.

“Swvl commits to providing regular updates on the investigation process and contacting customers individually if they have been directly impacted,” read the statement which was last updated on July 7.

‘4m users impacted’

According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.

Hunt runs a popular website ‘Have I Been Pwned’, which allows users to search across multiple data breaches to see if their email address has been compromised. As per the website, users in Pakistan have had their personal information stolen in the breach.

In a series of tweets posted on his account on Friday, he said the company’s claim that credit card information and passwords were not compromised in the hack was wrong. “The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities,” his website claims.

Swvl has not released an update on the breach since July 7.

Ride-sharing platforms have been a common target of data breaches. In 2018, Careem had suffered a major data leak involving unauthorised access to information, including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points).

In 2017, Uber said hackers had compromised personal data from some 57 million riders and drivers in a breach kept hidden for a year. Stolen files included names, email addresses and mobile phone numbers for riders, and the names and licence information of some 600,000 drivers, according to Uber.

Published in Dawn, August 1st, 2020

Opinion

Editorial

Skyrocketing prices
Updated 03 Jul, 2022

Skyrocketing prices

Some sellers are seeking to take advantage of the prevailing disorder by creating artificial shortages or jacking up prices.
Flooding alert
03 Jul, 2022

Flooding alert

THE Gilgit-Baltistan government has issued an alert about the possible flooding of areas along river banks and...
Assaulting journalists
03 Jul, 2022

Assaulting journalists

ANOTHER day, another citizen roughed up for speaking his mind. The assault on veteran journalist Ayaz Amir by...
Uncertainty remains in Punjab
Updated 02 Jul, 2022

Uncertainty remains in Punjab

With the latest verdict, the judiciary seems to have unintentionally entered the political arena, which is not desirable.
Turbulence in tech
02 Jul, 2022

Turbulence in tech

THE party seems to have cooled considerably for the Pakistani start-up scene. With some of the world’s biggest...
Environmental cost
02 Jul, 2022

Environmental cost

THE collective impact of climate-disaster-health hazards are already taking a huge toll on Pakistan’s fragile...