Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Ride-share upstart 'Fasten' revealed as Hive of insecurity

Like Uber but for leaking personal data: a million customer records left on unsecured Hadoop

Richard Chirgwin Mon 13 Nov 2017  //  00:34 UTC

Boston-based ride-hailing hopeful Fasten has coughed to a million-customer data breach that happened because someone left a database lying around unsecured.

The breach was turned up by cloud-crowd Kromtech, whose Bob Diachenko wrote late last week that the company had a misconfigured Apache Hive database exposed on the Internet. Hive is a data warehouse system built on top of Hadoop.

“The server was left open for end-user access and this also let anyone with an internet connection access Fasten’s internal data”, he wrote.

The exposed customer data included names, e-mails, telephone numbers, IMEI codes, trip details (pick-up and drop-off points), and links to photos. Corporate data, including a few thousand driver profiles, routes, comments about drivers, car registration, and photos of drivers’ vehicles.

Diachenko notes that the only payment information in the database was the last four digits of credit cards.

The company told Diachenko the database was created on October 11 of this year, but it wasn’t populated until later, and as far as Fasten can tell, it was only accessible for 48 hours. Fasten doesn’t believe anybody other than Kromtech’s people accessed the data before it was deleted.

Fasten’s Jennifer Borgen told Kromtech it was “old production data”, and the company is reviewing its security processes to keep data safer in future.

The company only operates in Boston and Austin, Texas. ®
Send us news
8 Comments

Uber Eats to rid itself of pesky human drivers with food delivery by robo Waymo

First they came for the taxis and I did nothing because I was not a taxi driver

Uber Australia to pay $178M to settle cabbies' class action

Nice payday for some, but plenty of Australians still pay extra to help drivers

Trump-era rules reversed on treating gig workers as contractors

$ gig revert HEAD && gig commit -e 'Biden was here'

Japan to allow limited rideshare services starting April 2024

Like Uber, but with drivers overseen by cab companies … for now

Europe inches closer to insisting gig workers are treated as employees

If it looks like a job, and is supervised like a job, it'll be classified as a job

Uber, Lyft to hand back $328M of stolen wages to NY drivers

So much for appy cabbies being 'partners' - Big U kept fares low by making 'em pay fees that riders should have picked up

Building Excel-like UI for Uber's China ops exposed Microsoft calculation quirks

Developer recounts rideshare outfitattempts to crack the Middle Kingdom market

Ex-Uber CSO gets probation for covering up theft of data on millions of people

Exec begged judge for leniency – and it worked

Uber driver info stolen yet again: This time from law firm

Never mind software supply chain attacks, lawyers are the new soft target?

Asia's top rideshare outfit, Grab, is late paying fines for running late

Took out Uber and promised to play nice, but regulator alleges years of evasion

Uber strikes deals with Google and Oracle to cut datacenter dependence

Ride-hailing biz 'modernizes infrastructure' by using someone else's computer

Microsoft disarms push notification bombers with number matching in Authenticator

Mandatory measure against attackers who spam MFA folks into submission