The news: The personal data of over four million customers was compromised as the popular bus-sharing service Swvl was hit by a massive security breach. The breach risked user data, such as names, email addresses and phone numbers, partial credit card information and user passwords of swvl customers as well.
The breach: Last month, the Egyptian-origin company issued a statement on its website acknowledging that it was aware of the unauthorized access to its data systems since July 3. The statement asserted that the data under attack was limited to names, email addresses and phone numbers and that the security breach was being investigated. The company confirmed that the credit card information and passwords of their customers were still secure.
Precautions: While the company didn’t have an exact number for the customers affected, it was stated that all users had been logged out of their accounts as a precautionary measure. It was also advised that all customers should change their Swvl account passwords, and update any other accounts with similar passwords to ensure security. The statement also noted that the specific vulnerabilities in Swvl’s IT infrastructure which may have led to the breach, have been identified and fixed. The company is confident that the integrity of the customer data is now completely safe. Swvl has committed to providing regular updates on the investigation process and said that the customers will be individually contacted if they have been directly impacted by the breach.
Swvl: The Egyptian-origin company is a bus transportation network that operates buses along fixed routes. Customers can reserve and pay for their seats using an app. The company was founded in April 2017 with operations in Egypt, Kenya and Pakistan.
In Pakistan, the company has been operating in Karachi, Lahore and Islamabad. Swvl also committed a $25 million investment to expand its operations in Pakistan in November 2019.
Impact on users: According to an Australian web security expert Troy Hunt, around 4.2 million data records were compromised in the Swvl breach. Hunt runs a website that allows users to search across multiple data breaches to see if their email address has been compromised. According to the website’s algorithm, the personal information of millions of Pakistani users has been stolen in the breach. In a series of tweets Hunt denied the company’s claim that the credit card information and passwords of its customers were safe. He claimed that the exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities.