Bus-sharing service users data hit by security breach

Published August 1, 2020
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.  — Online/File
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach. — Online/File

KARACHI: Popular bus-sharing service Swvl has suffered a major security breach that comprised user data, including names, email addresses and phone numbers of over four million customers.

However, new details emerged on Friday, claiming that the data apparently includes partial credit card information and user passwords as well.

According to a company statement published on its website earlier this month, Swvl said it had first become aware of the “unauthorised access” to its system on the evening of July 3.

“The investigation into the breach is still under way, but at this stage it is clear that the data which was compromised is restricted to names, email addresses and phone numbers,” it disclosed.

The company said its investigation had ensured that passwords and credit card information of the users were not affected or exposed.

Swvl did not specify how many users were impacted but said it had logged out all its users from their accounts as a precautionary measure. The company has urged customers to update their account passwords and those of any other accounts with the same or similar passwords and to change their passwords regularly.

“We immediately identified and addressed specific vulnerabilities that our IT infrastructure may have had, ensuring our customers’ data integrity,” it maintained, adding that it had secured the vulnerability in the system and “was confident” that the customer data was now safe.

Swvl is an Egyptian bus transportation network that was founded in April 2017. It operates buses along fixed routes and allows customers to reserve and pay for them using an app, with operations in Egypt, Kenya and Pakistan in the Middle East and North Africa (MENA) and Africa regions.

In Pakistan, Swvl has operations in Karachi, Lahore and Islamabad. In an announcement in November 2019, the company committed $25 million investment to expand its operations in Pakistan.

“Swvl commits to providing regular updates on the investigation process and contacting customers individually if they have been directly impacted,” read the statement which was last updated on July 7.

‘4m users impacted’

According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.

Hunt runs a popular website ‘Have I Been Pwned’, which allows users to search across multiple data breaches to see if their email address has been compromised. As per the website, users in Pakistan have had their personal information stolen in the breach.

In a series of tweets posted on his account on Friday, he said the company’s claim that credit card information and passwords were not compromised in the hack was wrong. “The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities,” his website claims.

Swvl has not released an update on the breach since July 7.

Ride-sharing platforms have been a common target of data breaches. In 2018, Careem had suffered a major data leak involving unauthorised access to information, including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points).

In 2017, Uber said hackers had compromised personal data from some 57 million riders and drivers in a breach kept hidden for a year. Stolen files included names, email addresses and mobile phone numbers for riders, and the names and licence information of some 600,000 drivers, according to Uber.

Published in Dawn, August 1st, 2020


No Eid for Sachal
16 May 2021

No Eid for Sachal

All this pain has been inflicted on man by man. When reason fails, this is what man resorts to. Naked barbarity.
US exit: security implications
16 May 2021

US exit: security implications

All indications are that transnational terrorist groups are gearing up to increase their operations in the region.


16 May 2021

Riyadh-Tehran thaw

SEVERAL official pronouncements over the last few days have confirmed that efforts are underway behind the scenes to...
16 May 2021

Ruthless evictions

FOR a state to deprive residents of their homes without providing for alternative housing for them is a dereliction...
16 May 2021

Wheat concerns

THE new official projections for provisional wheat output suggest that Punjab may harvest around 20.5m tonnes of...
Eid during Covid
Updated 13 May 2021

Eid during Covid

It is indisputable that our actions now will prevent matters from becoming far worse.
Updated 14 May 2021

Foreign policy gaffes

MIXED messages, retractions and clarifications from the government have become an all-too-common occurrence when it...
Zimbabwe series win
Updated 15 May 2021

Zimbabwe series win

For millions of Pakistani fans, it was a thrilling experience to see their team returning to its winning ways.