Delivery Biz Exposes 400 Million Records in Privacy Snafu

A popular south Asian delivery company exposed 400 million records containing customers’ personal information after misconfiguring an Elasticsearch server, according to researchers.

A team from reviews site Safety Detectives found the 200GB trove during a simple IP address check on specific ports. It was left wide open with no password protection or encryption, meaning anyone with the server’s IP address could have accessed the database.

The team soon traced the leak back to Bykea, a Karachi-based vehicle-for-hire and delivery company that offers an extensive fleet of “motorbike taxis” which are bookable via smartphone app.

According to Safety Detectives, the firm exposed its entire production server, including customers’ full names, phones numbers and email addresses, and drivers’ full names, phone numbers, addresses, license numbers and ID card (CNIC) details.

Also featured in the trove were Bykea employees’ unencrypted passwords and logins.

Other information exposed in the privacy snafu included API logs, delivery and collection location info, vehicle info, GPS coordinates and user device information.

The firm secured the server within 24 hours of being notified, on November 24.

If cyber-criminals were able to get hold of the leaked information it would have armed them with a major haul for carrying out follow-on phishing, identity theft and fraud.

“Full names, residential address details, ID documents like CNIC, online login information and location data could potentially be exploited by nefarious users to target unsuspecting people that registered with the company,” said Safety Detectives.

“Car registration and vehicle data could potentially be used to conduct insurance fraud and other heinous crimes involving stolen identities.”

With employee logins, attackers could also have attempted ransomware and other attacks against Bykea itself.