Bus-sharing service users data hit by security breach

Published August 1, 2020
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.  — Online/File
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach. — Online/File

KARACHI: Popular bus-sharing service Swvl has suffered a major security breach that comprised user data, including names, email addresses and phone numbers of over four million customers.

However, new details emerged on Friday, claiming that the data apparently includes partial credit card information and user passwords as well.

According to a company statement published on its website earlier this month, Swvl said it had first become aware of the “unauthorised access” to its system on the evening of July 3.

“The investigation into the breach is still under way, but at this stage it is clear that the data which was compromised is restricted to names, email addresses and phone numbers,” it disclosed.

The company said its investigation had ensured that passwords and credit card information of the users were not affected or exposed.

Swvl did not specify how many users were impacted but said it had logged out all its users from their accounts as a precautionary measure. The company has urged customers to update their account passwords and those of any other accounts with the same or similar passwords and to change their passwords regularly.

“We immediately identified and addressed specific vulnerabilities that our IT infrastructure may have had, ensuring our customers’ data integrity,” it maintained, adding that it had secured the vulnerability in the system and “was confident” that the customer data was now safe.

Swvl is an Egyptian bus transportation network that was founded in April 2017. It operates buses along fixed routes and allows customers to reserve and pay for them using an app, with operations in Egypt, Kenya and Pakistan in the Middle East and North Africa (MENA) and Africa regions.

In Pakistan, Swvl has operations in Karachi, Lahore and Islamabad. In an announcement in November 2019, the company committed $25 million investment to expand its operations in Pakistan.

“Swvl commits to providing regular updates on the investigation process and contacting customers individually if they have been directly impacted,” read the statement which was last updated on July 7.

‘4m users impacted’

According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.

Hunt runs a popular website ‘Have I Been Pwned’, which allows users to search across multiple data breaches to see if their email address has been compromised. As per the website, users in Pakistan have had their personal information stolen in the breach.

In a series of tweets posted on his account on Friday, he said the company’s claim that credit card information and passwords were not compromised in the hack was wrong. “The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities,” his website claims.

Swvl has not released an update on the breach since July 7.

Ride-sharing platforms have been a common target of data breaches. In 2018, Careem had suffered a major data leak involving unauthorised access to information, including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points).

In 2017, Uber said hackers had compromised personal data from some 57 million riders and drivers in a breach kept hidden for a year. Stolen files included names, email addresses and mobile phone numbers for riders, and the names and licence information of some 600,000 drivers, according to Uber.

Published in Dawn, August 1st, 2020

Opinion

Editorial

A political resolution
13 Dec, 2024

A political resolution

HAVE political stakeholders finally accepted that their ‘war’ has reached a stalemate? Has the PTI understood it...
High price increases
13 Dec, 2024

High price increases

FISCAL stabilisation prescribed by the IMF can be expensive — for the common people — in more ways than one. ...
Beyond HOTA
13 Dec, 2024

Beyond HOTA

IN a welcome demonstration of HOTA’s oversight role, kidney transplant services have been suspended at...
General malfeasance
Updated 12 Dec, 2024

General malfeasance

Will Gen Faiz Hameed's trial prove to be a long overdue comeuppance or just another smokescreen?
Electricity rates
12 Dec, 2024

Electricity rates

THE government is renegotiating power purchase agreements with private power producers to slash their capacity...
Aggression in Syria
12 Dec, 2024

Aggression in Syria

TAKING advantage of the chaos in post-Assad Syria, Israel has proceeded to grab more of the Arab state’s land,...