Boston-based ride-hailing hopeful Fasten has coughed to a million-customer data breach that happened because someone left a database lying around unsecured.
The breach was turned up by cloud-crowd Kromtech, whose Bob Diachenko wrote late last week that the company had a misconfigured Apache Hive database exposed on the Internet. Hive is a data warehouse system built on top of Hadoop.
“The server was left open for end-user access and this also let anyone with an internet connection access Fasten’s internal data”, he wrote.
The exposed customer data included names, e-mails, telephone numbers, IMEI codes, trip details (pick-up and drop-off points), and links to photos. Corporate data, including a few thousand driver profiles, routes, comments about drivers, car registration, and photos of drivers’ vehicles.
Diachenko notes that the only payment information in the database was the last four digits of credit cards.
The company told Diachenko the database was created on October 11 of this year, but it wasn’t populated until later, and as far as Fasten can tell, it was only accessible for 48 hours. Fasten doesn’t believe anybody other than Kromtech’s people accessed the data before it was deleted.
Fasten’s Jennifer Borgen told Kromtech it was “old production data”, and the company is reviewing its security processes to keep data safer in future.
The company only operates in Boston and Austin, Texas. ®