KARACHI: Popular bus-sharing service Swvl has suffered a major security breach that comprised user data, including names, email addresses and phone numbers of over four million customers.

However, new details emerged on Friday, claiming that the data apparently includes partial credit card information and user passwords as well.

According to a company statement published on its website earlier this month, Swvl said it had first become aware of the “unauthorised access” to its system on the evening of July 3.

“The investigation into the breach is still under way, but at this stage it is clear that the data which was compromised is restricted to names, email addresses and phone numbers,” it disclosed.

The company said its investigation had ensured that passwords and credit card information of the users were not affected or exposed.

Swvl did not specify how many users were impacted but said it had logged out all its users from their accounts as a precautionary measure. The company has urged customers to update their account passwords and those of any other accounts with the same or similar passwords and to change their passwords regularly.

“We immediately identified and addressed specific vulnerabilities that our IT infrastructure may have had, ensuring our customers’ data integrity,” it maintained, adding that it had secured the vulnerability in the system and “was confident” that the customer data was now safe.

Swvl is an Egyptian bus transportation network that was founded in April 2017. It operates buses along fixed routes and allows customers to reserve and pay for them using an app, with operations in Egypt, Kenya and Pakistan in the Middle East and North Africa (MENA) and Africa regions.

In Pakistan, Swvl has operations in Karachi, Lahore and Islamabad. In an announcement in November 2019, the company committed $25 million investment to expand its operations in Pakistan.

“Swvl commits to providing regular updates on the investigation process and contacting customers individually if they have been directly impacted,” read the statement which was last updated on July 7.

‘4m users impacted’

According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.

Hunt runs a popular website ‘Have I Been Pwned’, which allows users to search across multiple data breaches to see if their email address has been compromised. As per the website, users in Pakistan have had their personal information stolen in the breach.

In a series of tweets posted on his account on Friday, he said the company’s claim that credit card information and passwords were not compromised in the hack was wrong. “The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities,” his website claims.

Swvl has not released an update on the breach since July 7.

Ride-sharing platforms have been a common target of data breaches. In 2018, Careem had suffered a major data leak involving unauthorised access to information, including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points).

In 2017, Uber said hackers had compromised personal data from some 57 million riders and drivers in a breach kept hidden for a year. Stolen files included names, email addresses and mobile phone numbers for riders, and the names and licence information of some 600,000 drivers, according to Uber.

Published in Dawn, August 1st, 2020