Bus-sharing service users data hit by security breach

Published August 1, 2020
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.  — Online/File
According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach. — Online/File

KARACHI: Popular bus-sharing service Swvl has suffered a major security breach that comprised user data, including names, email addresses and phone numbers of over four million customers.

However, new details emerged on Friday, claiming that the data apparently includes partial credit card information and user passwords as well.

According to a company statement published on its website earlier this month, Swvl said it had first become aware of the “unauthorised access” to its system on the evening of July 3.

“The investigation into the breach is still under way, but at this stage it is clear that the data which was compromised is restricted to names, email addresses and phone numbers,” it disclosed.

The company said its investigation had ensured that passwords and credit card information of the users were not affected or exposed.

Swvl did not specify how many users were impacted but said it had logged out all its users from their accounts as a precautionary measure. The company has urged customers to update their account passwords and those of any other accounts with the same or similar passwords and to change their passwords regularly.

“We immediately identified and addressed specific vulnerabilities that our IT infrastructure may have had, ensuring our customers’ data integrity,” it maintained, adding that it had secured the vulnerability in the system and “was confident” that the customer data was now safe.

Swvl is an Egyptian bus transportation network that was founded in April 2017. It operates buses along fixed routes and allows customers to reserve and pay for them using an app, with operations in Egypt, Kenya and Pakistan in the Middle East and North Africa (MENA) and Africa regions.

In Pakistan, Swvl has operations in Karachi, Lahore and Islamabad. In an announcement in November 2019, the company committed $25 million investment to expand its operations in Pakistan.

“Swvl commits to providing regular updates on the investigation process and contacting customers individually if they have been directly impacted,” read the statement which was last updated on July 7.

‘4m users impacted’

According to Australian web security expert Troy Hunt, around 4.2 million data records were breached in the Swvl breach.

Hunt runs a popular website ‘Have I Been Pwned’, which allows users to search across multiple data breaches to see if their email address has been compromised. As per the website, users in Pakistan have had their personal information stolen in the breach.

In a series of tweets posted on his account on Friday, he said the company’s claim that credit card information and passwords were not compromised in the hack was wrong. “The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities,” his website claims.

Swvl has not released an update on the breach since July 7.

Ride-sharing platforms have been a common target of data breaches. In 2018, Careem had suffered a major data leak involving unauthorised access to information, including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points).

In 2017, Uber said hackers had compromised personal data from some 57 million riders and drivers in a breach kept hidden for a year. Stolen files included names, email addresses and mobile phone numbers for riders, and the names and licence information of some 600,000 drivers, according to Uber.

Published in Dawn, August 1st, 2020

Opinion

Editorial

Kurram atrocity
Updated 22 Nov, 2024

Kurram atrocity

It would be a monumental mistake for the state to continue ignoring the violence in Kurram.
Persistent grip
22 Nov, 2024

Persistent grip

PAKISTAN has now registered 50 polio cases this year. We all saw it coming and yet there was nothing we could do to...
Green transport
22 Nov, 2024

Green transport

THE government has taken a commendable step by announcing a New Energy Vehicle policy aiming to ensure that by 2030,...
Military option
Updated 21 Nov, 2024

Military option

While restoring peace is essential, addressing Balochistan’s socioeconomic deprivation is equally important.
HIV/AIDS disaster
21 Nov, 2024

HIV/AIDS disaster

A TORTUROUS sense of déjà vu is attached to the latest health fiasco at Multan’s Nishtar Hospital. The largest...
Dubious pardon
21 Nov, 2024

Dubious pardon

IT is disturbing how a crime as grave as custodial death has culminated in an out-of-court ‘settlement’. The...